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Abstract. The Parameterised Model Checking Problem asks whether an implementation 
Impl(t) satisfies a specification Spec(t) for all instantiations of parameter t. In general, 
t can determine numerous entities: the number of processes used in a network, the type of 
data, the capacities of buffers, etc. The main theme of this paper is automation of uniform 
verification of a subclass of PMCP with the parameter of the first kind, i.e. the number of 
processes in the network. We use CSP as our formalism. 

We present a type reduction theory, which, for a given verification problem, establishes a 
function <f> that maps all (sufficiently large) instantiations T of the parameter to some fixed 
type T and allows us to deduce that if Spec(T) is refined by cj>(Impl(T)) , then (subject to 
certain assumptions) Spec(T) is refined by Impl(T). The theory can be used in practice 
by combining it with a suitable abstraction method that produces a i-independent process 
Abstr that is refined by (j>(Impl(T)) for all sufficiently large T. Then, by testing (with 
a model checker) if the abstract model Abstr refines Spec(T), we can deduce a positive 
answer to the original uniform verification problem. 

The type reduction theory relies on symbolic representation of process behaviour. We 
develop a symbolic operational semantics for CSP processes that satisfy certain normality 
requirements, and we provide a set of translation rules that allow us to concretise symbolic 
transition graphs. Based on this, we prove results that allow us to infer behaviours of a 
process instantiated with uncollapsed types from known behaviours of the same process 
instantiated with a reduced type. 

One of the main advantages of our symbolic operational semantics and the type reduc- 
tion theory is their generality, which makes them applicable in a wide range of settings. 



1. Introduction 

Until recently the primary method of correctness verification was testing, which, given an 
input, checks the produced output against the expected outcome. This approach suffers 
from two main problems. Firstly, it is almost always impossible to test every possible 
input and execution path. Secondly, testing works only for completed implementations. 
This makes it particularly unsuitable for verification of safety-critical systems; it is highly 
unlikely that someone would ever want to perform testing to verify that a nuclear power 
plant never blows up, for example. 

1998 ACM Subject Classification: D.1.3, D.2.4, D.3.2. 
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In contrast to the above, formal verification methods concentrate on proving the cor- 
rectness of a given system. One approach to formal verification is model checking. Given 
a model Impl of an implementation and a specification Spec that the model should satisfy, 
verification via model checking occurs by exploring (explicitly or symbolically) all states 
of Impl and checking if they satisfy Spec. The greatest advantage of model checking is 
a large scope for automation, at the cost of being applicable only to finite-state systems 
and a few families of infinite systems. In addition, if the implementation fails to satisfy 
the specification, then model checking can produce a counterexample (a behaviour of the 
implementation that is not allowed by the specification) that can be used for debugging 
purposes. On the other hand, this approach to formal verification suffers from the state 
explosion problem: the time complexity of verification algorithms depends on the size of the 
implementation, which is typically exponential in the size of its description. This means 
that standard model checking algorithms can only work in cases where the system to be 
verified is of finite and (relatively) small size. 

One approach to model checking, highly popularised by Clarke, Emerson and Grum- 
berg [CE811 ICES86} ICGL94} ICGP99 ], is based on temporal logics, where specifications are 
formulated as expressions in a linear time logic (e.g. LTL |Pnu77j ) or a branching time logic 
(e.g. CTL jEC80, BAMP81]). Another approach defines a partial order C on the set of all 
expressible systems. The intuitive meaning of P C Q (pronounced "P refined by Q") for 
systems P and Q is that Q is in some sense "better" than P, e.g. it is more determinis- 
tic, less abstract or contains more implementation details (see Section 12.21 for the formal 
definition). In this approach Spec and Impl are modelled using the same formalism and 
Impl is said to satisfy Spec if and only if Spec C Impl. An immediate advantage of refine- 
ment checking over temporal logic formulae satisfaction is the fact that what constitutes 
a specification for a given implementation in one context can be treated as its abstraction 
in another. This is a very useful feature when working with compositional construction of 
implementations. 

In this paper we use the refinement-based approach to model checking, where all imple- 
mentations and specifications are modelled using the CSP process algebra [Hoa85[ IRos97[ 
IRoslOj (see Section [2|) and refinement checks are performed automatically using the FDR 
model checker [For09j. 

It is often the case that specifications or implementations contain free variables. These 
can be parameters that affect the topology of the system (e.g. the number of nodes in a 
network or the number of users of a system), the types of data variables (e.g. datatypes of 
database records or memory contents), performance parameters (e.g. bandwidths, response 
times, clock speeds), or capacities of buffers or queues used. One is often interested in 
the uniform verification of a given parameterised pair of a specification Spec and an im- 
plementation Impl, i.e. in checking whether Impl satisfies Spec for all instantiations of the 
parameters. Given such Spec and Impl, the Parameterised Verification Problem (PVP) asks 
whether Impl can be uniformly verified against Spec. The Parameterised Model Checking 
Problem (PMCP) is a subclass of PVP, where we insist on the verification occurring via 
model checking. 

In this paper we concentrate on a subclass of PMCP, where specifications and imple- 
mentations contains a single parameter t, called the distinguished type, which denotes the 
type of identities of node processes running concurrently to form a network, possibly within 
some larger system. More precisely, every family of implementations that we consider is of 
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the forirQ 

Impl(t) = C t [ || i G t • [A(i,t)\ N"i(t)} , 

where: 

• Afi(t) models a single, finite-state node with identity i, and that can receive, store and 
send node identities from t; 

• A(i, t) is the set of all visible events that Mi{t) can communicate (its alphabet); 

• Cf[-] is some CSP context, for example that places the nodes in parallel with a controller 
(possibly parameterised by t) and may hide some communication. 

In fact, the results of this paper apply to more general implementation processes that the 
above Impl(t), namely all that are fully symmetric in t (informally, that renaming the 
elements of t under an arbitrary bijection gives an equivalent process; see Definition 13.61 
below); however, Impl(t) captures those processes that we are particularly interested in. 
Our overall aim, then, is to verify that for all sufficiently large instantiations T of t: 

Spec{T) C Impl(T), (1.1) 

where Spec(t) is a suitable specification process. 

Throughout this paper we assume that every instantiation T of type parameter t is 
non-empty and finite. In addition, without loss of generality, we assume that every instan- 
tiation T of t is an initial segment of the natural numbers, i.e. T is of the form {0 . . n — 1} 
for some n. Our results and techniques extend to other discrete and finite types T of size n 
via simple bijections from {0 . . n — 1} to T. We allow processes to contain other parameters 
in their syntax, but their values must be known and fixed at the time of writing the pro- 
cess definition, or an additional technique for handling parameters (e.g. data independence 
|Laz99l lRos97| ) must be used for complete correctness analysis. 

PMCP is, in general, undecidable [AK86J, as the Halting Problem [Dav58] can be shown 
to reduce to it. Therefore, we focus on sound (but incomplete) verification methods. 

One general approach is to build a ^-independent abstraction process Abstr that cap- 
tures the behaviours of all the Impl(T) processes, in a sense that we now explain. The 
alphabets of Impl(T) are (in general) unbounded as a function of T; however, the alphabet 
of Abstr needs to be fixed. Therefore, the construction of Abstr collapses T to some fixed 
type T = {0 . . B} for some non-negative integer B, treating all identities in {0 . . B — 1} 
faithfully, but mapping all other identities onto B. More precisely, for all sufficiently large 
instantiations T of type t, Abstr is such tha10 

Abstr C (f>(Impl(T)) (1.2) 

holds by construction, where is a -B-collapsing function: 

Definition 1.1. A B-collapsing function is a function cp : T — > {0 . . B} such that 

• (j)(v) = v for v € {0 . . B - 1}; 

• <j){v) = B for v G {B . . #T - 1}. 

^The process || i 6 / • [A(i)]P(i) denotes the parallel composition of the processes P(i) for i £ /, where 
A(i) is the alphabet of P(i), and where nodes synchronise on all events in common between their alphabets; 
see Section [2] 

2 The process f(P) is a process that acts like P, except every event a is renamed to f(a); see Section[5] 
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Having constructed such an Abstr, we can use a CSP model checker, such as FDR, to verify 
that 

Spec(T) C Abstr. 

Transitivity of refinement then allows us to deduce that 

Spec(f) C <t>(Impl(T)) (1.3) 

for all sufficiently large T. An example of such an abstraction method (based on counter 
abstraction techniques [Lub84| IPXZ021 IML09] ) can be found in [MazlO} IMLllj . 

The aim of this paper is to bridge the gap between equations (|1.3|) and We 
present a theory that, under suitable assumptions on the specification and implementation 
processes, allows us to calculate a suitable value for B such that if equation (|1.3j) holds (for 
the values of <f> and T corresponding to B), then equation (jl.ip holds for all T such that 
# T > B (smaller values of T can be tested directly). In particular, the value of B turns out 
to depend only on the syntax of the specification, and is independent of the implementation. 

Our theory is general, allowing us to combine it with an arbitrary abstraction method 
that can produce an abstraction Abstr such that (j 1 . 2 1) holds. 

The rest of this paper is structured as follows. In Section [2] we introduce the syntax 
of the CSP process algebra, describe two of its denotational semantics models (traces and 
stable failures) and briefly talk about FDR, a model checker for CSP. We also give an 
example to illustrate the goals of this paper. In Section [3] we define the conditions we will 
require the specification process to satisfy, and also the condition of symmetry in t that we 
will require the implementation to satisfy. 

Proving the main theorems will require us to develop quite a lot of supporting ma- 
chinery, in order to relate behaviours of the specification process for different values of the 
parameter t. To this end, Section 0] is devoted to developing a suitable operational seman- 
tics for CSP. The main part of this section presents a symbolic operational semantics that 
allows us to reason about behaviour of processes without the need for instantiating param- 
eters. We also provide a set of translation rules for instantiating symbolic transition graphs 
into concrete ones, and we prove that this results in an operational semantics congruent to 
a fairly standard one. 

Being able to reason about process behaviour in a symbolic way is a prerequisite for 
our main theory. We present a number of regularity results for specifications in Section \5\ 
which show that specifications exhibit certain clarity in their behaviour. Our main type 
reduction theory is in Section El where we provide type reduction theorems for the traces 
and stable failures models. Finally, we conclude in Section [7l In the interests of readability, 
we relegate most proofs to appendices. 

2. Introduction to CSP 

CSP [Hoa85, IRos97l IRoslO| is a process algebra used for modelling and verification of 
concurrent reactive systems with communication based on synchronous message passing. 

CSP processes interact with each other and the environment within which they operate 
by communicating events. Events occur on channels; for example, c.a.3 is an event over 
channel c, passing data a and 3. We assume that each channel has a fixed type (i.e. can 
pass a fixed number of pieces of data, and the type of the data passed in each position is 
fixed). The notation {| c j} represents the set of events passed over channel c. 
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We let £ be the set of all visible events. We let r denote a special, internal event (not 
in E). We write S r to mean SU{r}. We also write £* to mean the set of all finite sequences 
of events from E. 

2.1. Syntax. In this paper we use the fragment of CSP with the following syntax. 

P ::= STOP \ a-+P\PnP\nieZ* P{i) | P n P I n i E 1 • P(i) \ P> P 
| if b then P else P \ b & P \ P \ X \ P[[TZ} \ P x \\y P 
\\i€l» [A(i)\ P(i) | P || P | P HI P | HI i £l»P(i) | X 

The process STOP is a synonym for deadlock, i.e. it is the process that cannot engage 
in any communication with the environment and cannot perform any events on its own. 

The process a — > P can perform any event that the construct a describes, and then sub- 
sequently behaves like P. The construct a is an expression of the form c§ixi :Xi . . . ^/.x^.X^, 
where 

• c is a channel name; 

• §j E {$,?, !} is an input/output symbol; 

• if §j E {$, ?}, then %i is an input variable, otherwise it is an output value; and 

• if §i E {$, ?}, then X{ is a type parameter or type of input, otherwise it is null. 

The ! symbol denotes an output; ? denotes an input; $ denotes a nondeterministic choice 
(which we sometimes call a nondeterministic input). The ? and $ operators both bind 
variables to concrete values. For example, the process c$x:{0, l}?y:{2, 3}!4 — > d\(x+y) — >■ 
STOP nondeterministically chooses a value v E {0, 1} and binds the variable x to that 
value; it is then willing to perform any event of the form c.v.wA for w E {2, 3}, and binds 
the variable y to the value w; it then performs the event d.(v+w), and deadlocks. For 
constructs where §j = ! for every i, we use the more traditional . output symbol instead, 
e.g. we write cv1.V2.V3 to mean c\vi\v2\v^. Whenever X( is null, we omit it in practice, 
e.g. we write civ instead of dv.null. The only way a process can communicate a visible 
event is via a prefix construct. 

For two processes P and Q, the external (or deterministic) choice P □ Q is a process 
that offers the environment the choice of performing any initial event of P or Q; if an 
initial event of P is performed, then the choice is resolved to P, and if an initial event 
of Q is performed, then the choice is resolved to Q. We can define a replicated version of 
the operator: □ i E I • P(i) is an external choice between processes P(i) for each i in 
some finite indexing set I; we consider this as syntactic sugar for repeated use of the binary 
operator. 

P n Q represents an internal (or nondeterministic) choice, where the process behaves 
either like P or like Q, where the choice is made by some mechanism that we do not 
model and which cannot be influenced by the environment. We define a replicated version: 
r~| i E I • P(i) is an internal choice between processes P(i) for each i in some finite, non- 
empty indexing set I. 

The sliding choice (or timeout) P > Q is a process that behaves like P for a nonde- 
terministically long period of time, but if the environment does not engage in any activity 
with P within this time, it switches to behaving like Q. 



Standard CSP commonly also uses the . symbol, but this is only syntactic sugar and can always be 
replaced by one of $, ?, !. 
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The process if b then P else Q is a conditional choice between processes P and Q. If 
b evaluates to True, then this process behaves like P; otherwise it behaves like Q. The 
process b & P is syntactic sugar for if b then P else STOP, i.e. P is enabled if and only 
if guard b is true. We say "a conditional choice on t" to mean a conditional choice whose 
boolean condition involves only variables and/or values of type t. 

For any set X Q T,, P \ X is a process which behaves like P except that whenever P 
would normally communicate an event from set X , P \ X performs the internal action, r, 
instead. 

The process P[72|, where 1Z is a relation over S, is a process that behaves like P except 
that whenever P would perform an event a, the renamed process performs an event b such 
that a 1Z b instead. We sometimes define the renaming relation using notation similar to 
substitution: -P[[ 6 /a]] ^ s a process that behaves like P except that whenever P would nor- 
mally perform a, the renamed process performs b instead. If 1Z is a function, we sometimes 
write the renaming using functional notation, TZ(P). 

The notion of parallel composition of processes is key to CSP, allowing one to model 
concurrency. The process P x\\y Q is a parallel composition of P and Q, where P is allowed 
to communicate only members of the set of visible events X, Q is allowed to communicate 
only members of the set of visible events Y , and synchronisation occurs on all common 
events (i.e. those in X n Y). We can define its replicated version: || i G T • [A(i)] P(i) 
is the parallel composition of processes P(i) indexed over a finite, non-empty set X, where 
each P(i) is allowed to perform only events from A(i), and synchronises on event e G A(i) 

with each process P(J) such that e 6 A{j). The process P || Q is the parallel composition 

x 

of P and Q with handshaken synchronisation on all the members of the set of visible 
events X. Finally, P \\\ Q is the interleaving of P and Q: the processes run in parallel, 
but do not synchronise on any event (note that this is equivalent to P \\ Q). We write 

{} 

|| « EX. P(i) for the replicated version. 

Processes are defined by means of equations, such as P = a — >■ P. We assume a global 
environment E, mapping identifiers to process definitions, capturing these equations. When 
a process identifier X is encountered in syntax, E is used to look up which process definition 
should be substituted for X. 

So far we have used the term "process" loosely. We now make an important distinction 
between process syntaxes (also called process definitions) and concrete processes. A process 
syntax is an open CSP term (i.e. one with free variables). On the other hand, every closed 
CSP term represents a process. For example, if Proc(t) is a term where t is free, then it 
is a process syntax and it represents a family of processes Proc(T), one for each concrete 
instantiation T. 

2.2. Denotational models and refinement. A trace of a process is a sequence of visible 
events that it can perform. We write traces(P) for the traces of P. 

Given a process P, we let initials(P) be the set of all the initially available visible 
events of P, i.e. 

initials(P) = {a \ (a) £ traces(P)}. 
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In addition, if tr is a trace of P, then P/tr (pronounced "P after tr") describes the be- 
haviours of P after it performs tr. So, in particular, 

initial s (P /tr) = {a \ tr"{a) € traces(P)}. 

CSP specifications are expressed in the same formalism as implementations, i.e. as 
processes. An implementation Impl is said to satisfy a specification Spec if it refines it, 
which we denote by writing Spec Q Impl. Intuitively, process Q refines process P (or P is 
refined by Q) if Q does not exhibit any behaviour that is not a behaviour of P. The type 
of behaviour that identifies a CSP process depends on the denotational model that is used. 
In the traces model refinement is defined by: 

PQt Q O traces(Q) C traces(P). 

If P Cx Q and Q Ct P, then we say that P and Q are traces equivalent, denoted P =t Q- 
In the stable failures model, a process P is identified by the set of its traces (as above) 
together with the set of its failures (written failures(P)). A failure is a pair (tr, X), where 
tr E traces(P) and ICS, and represents the behaviour where P performs trace tr to reach 
a stable state P' (i.e. r is not available in P'), in which it refuses the whole of X (i.e. none 
of the events in X is available), denoted P' ref X. When refinement is interpreted over 
the stable failures model, we get the notion of stable failures refinement: 

P Qf Q traces(Q) C traces(P) A failures(Q) C failures(P). 

If P C F Q and Q P, then we say that P and Q are stable failures equivalent, denoted 
P= F Q. " 

All denotational representations of a process P (including traces(P) and failures(P)) 
can be obtained using the rules of denotational semantics, which can be found, for example, 
in |Ros97l Chapter 8] . An alternative approach (and the one we take most of the time in this 
paper) is to extract denotational values from a labelled transition system representing P, 
obtained by applying an operational semantics. We describe this method in more detail in 
Section 

The FDR (Failures/Divergences Refinement) model checker |For09| allows one to au- 
tomatically perform refinement checks. When a CSP script with process definitions, say P 
and Q, is loaded, FDR can automatically test for refinement P C M Q in a given denota- 
tional model M. 

2.3. Example. We give here a simple example, to illustrate the problem we are addressing 
in this paper. 

Consider a very simple token-based mutual exclusion protocol for a collection of nodes. 
Each node i obtains the token (event getToken.i), enters and then leaves the critical section 
(event enter CS .i, respectively, leaveCS.i), and returns the token (event returnToken.i): 

Node(i) = getToken.i — > Entering (i), 

Entering (i) = enter CS.i — > CS(i), 

CS(i) = leaveCS.i — > Leaving(i), 

Leaving (i) = returnToken.i — > Node(i). 

The nodes are interleaved; recall that we use the variable t to denote the type of all node 
identities: 

Nodes(t) = \\\i : t • Node(i). 
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The nodes are combined with a controller that controls the token, repeatedly giving it to 
a node and receiving it back. The communications corresponding to passing the token are 
considered internal so are hidden. 

Controller (i) = getTokenli:t — > returnTokenl j :t — > Controller{t), 
Impl(t) = (Nodes(t) \\ Controller (t)) 

{\getToken,returnToken\} 

\ {| getToken, returnToken |}. 

We would like to verify that at most a single node is in the critical section at a time. 
We can capture this using the specification process 

Spec(t) = enterCS%i:t — > leaveCSli — > Spec(t). 

Our requirement, then, is 

Spec(T) C T Impl(T), for all instantiations T of t. (2-2) 

The approach we describe in [MazlCH IML11] is to form an abstraction of Nodes(t) 
based on counter abstraction [PXZ02J. In the process NodesAbst(n, e, c, /), below, the four 
counter parameters n, e, c and I represent the number of nodes in the Node, Entering, CS 
and Leaving states, respectively; however the counting is capped at some value z, where 
we take z = 2 in this case; hence a counter value of z represents that there are z or more 
processes in the corresponding state. The definition of Nodes Abst is based on the transitions 
within a single Node process. For most transitions, the counter for the prior Node state is 
decremented, and the counter for the new state is incremented, but not beyond z; we define 
the following function to perform this: 

inc(x) = min(x + 1, 21). 

However, if the counter for the prior state was at the cap z, then there might have been 
strictly more than z processes in this state before the transition, so the counter should 
(nondeterministically) be able to stay at z. 

NodesAbst(n, e, c, l)(t) = 

(n > & getToken$i:t — > 

if n < z then NodesAbst(n — 1, inc(e), c, l)(t) 

else NodesAbst{n — 1, inc(e), c, l)(t) n NodesAbst{n, inc(e), c, l)(t)) 

□ 

(e > & enterCS$i:t 

if e < z then NodesAbst(n, e — 1, inc(c), l)(t) 

else NodesAbst{n, e — 1, inc(c), l)(t) n NodesAbst{n, e, inc(c), l)(t)) 

□ 

(c > k leaveCS$i:t 

if c < z then NodesAbst{n, e, c — 1, inc{l)){t) 

else NodesAbst(n, e, c — 1, inc(l))(t) n NodesAbst(n, e, c, inc(l))(t)) 

□ 

(/ > & returnToken%i:t — > 

if / < z then Nodes Abst{inc{n) , e,c,l — l)(t) 

else Nodes Abst (inc(n) , e, c,l — l)(t) n Nodes Abst(inc(n), e, c, l)(t)). 
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We can then build Abst from NodesAbst(z, 0, 0, 0) in the same way that we built Impl from 
Nodes: 

Abst(t) = (NodesAbst(z,0,0,0)(t) \\ Controller (t)) 

{\getToken,returnToken\} 

\ {\ getToken,returnToken |}. 

In [MazlOl IMLllj , we show that the process built in this way is an abstraction of the 
Impl process in the following sense: for every non-negative integer B: 

Abst(f) C T (j){Impl{T)), (2.3) 

for all instantiations T of t with #T > B + z, where T = {0 . . B}, and (ft is & -B-collapsing 
function (see Definition 1 1 . X [) . We pick B = 1 in this case. We can then use FDR to verify 
that 

Spec(f) Or Abst(f), 

and so deduce 

Spec(T) C T <j)(Impl(T)), for all instantiations T of t with #T > B + z = 3, 

by transitivity of refinement. The results in this paper will allow us to deduce our require- 
ment (12. 2p from this. We stress, though, that the results in this paper can be used with any 
abstraction method that produces a process Abst such that (|2.3p holds for all sufficiently 
large instantiations T of t. 

It is worth noting that the technique in [MazlOl IMLll) is rather more general than the 
above example illustrates. It allows node processes to store the identities of other nodes, 
and to pass them on in subsequent events; much of the difficulty of the theory concerns 
treating these identities correctly. 

3. Conditions on processes 

In this section we define various conditions on processes that we will use later. In Section [6TT1 
we will mention tool support, which is able to test for most of the conditions in this section. 

We mentioned above that we restrict our operational semantics to a fragment of the 
CSP language when working with specifications. We aim to develop mathematical machin- 
ery to prove (in Section [6|) useful results about specifications that satisfy a certain normality 
condition, which we define in Section 13.31 Earlier, in Section 13.11 we define data indepen- 
dence, a crucial part of normality. We will strongly rely on our normality condition when 
defining our Semi-Symbolic Operational Semantics (Section I4.3h and when deriving type 
reduction theory results in Section [6) 

In Section [3.41 we define the notion of type symmetry in the type t; our main theorems 
will require the implementation process to satisfy this property. Then in Section 13.51 we 
define a property concerning the use of equality tests; our main theorems will require the 
specification process to satisfy this property. 



10 



T. MAZUR AND G. LOWE 



3.1. Data independence. Intuitively, we say that a process syntax treats type t data 
independently if it inputs and outputs values of type t, possibly storing them for later use, 
but does not perform any operations on these values that could influence either its control 
flow or the instantiations of type t that can be used. The following definition of a data 
independent process is based on the one from |Ros97| . 

Definition 3.1. We say that a CSP process syntax is data independent with respect to 
type t if it does not contain: 

(i) replicated constructs indexed over any set depending on t, except for replicated 
nondeterministic choice (I - !) indexed over the whole of t; however, we allow the use 
of deterministic and nondeterministic input selections, ? and $; 

(ii) conditional choices on t, except for equality and inequality tests; 

(iii) constants of type t; 

(iv) functions whose domains or co-domains involve type t; 

(v) operations on t, including polymorphic operations (e.g. tup ling or lists); 

(vi) selections from sets involving t, unless the selection is over the whole of t; and 

(vii) any operations that would extract information about t, e.g. card(t). 

Example 3.2. The Node{i){T) processes from Section 12.31 are data independent in t. 
However, Nodes(t) is not data independent because it uses an indexed interleaving over t. 

Remark 3.3. Clauses (v) and (vi) of Definition 13.11 together imply that, for all constructs 
c§iXi:Xi . . . §kXk'-Xk of a given data independent process syntax, each X is either a type 
not related to t or precisely the type parameter t, unless §j = !, in which case Xj = null. 

3.2. The Seq condition. In order to produce our Semi-Symbolic Operational Semantics, 
it is useful to restrict the scope of processes considered. 

Definition 3.4. A process syntax Proc(t) satisfies Seq if 

(i) it is data independent; 

(ii) it is sequential and contains no renaming or hiding; 

(iii) it contains no replicated external or nondeterministic choice (but we do allow nonde- 
terministic selections through the use of the $ symbol); 

(iv) all guards of conditional choices within Proc(t) contain either only variables of type t, 
or only variables and values of types other that t; 

(v) in external and sliding choices, Proc(t) contains no name clashes between type t 
nondeterministic-selection variables of one argument and free variables of another ar- 
gument; e.g. c%x:t — > STOP □ d.x — > STOP is not allowed; 

(vi) constructs of Proc(t) do not contain multiple occurrences of the same input variable 
of type t; e.g. c\x\x, and cly.Yly for Y not related to t are allowed, but c?x:t\x is 
not. 

Seq may be seen as a rather strong condition. However, in practice, almost all useful 
specification processes can be easily re-written to meet its requirements; we justify this 
below. However, this condition does place restrictions on the way the specifications are 
expressed. These restrictions will make the production of the semi-symbolic operational 
semantics easier, and also simplify subsequent proofs. 
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We assume sequentially (assumption (ii)). When a process is not sequential, it can be 
rewritten into a sequential form using algebraic equivalences [Ros97]. Further, we forbid 
indexed choice operators, since (for finite choices) such indexed operators can always be 
replaced by binary ones. Note that this means that Seq processes are taken from processes 
with the following syntax: 

P ::= STOP \ a^P\P\3P\PriP\P>P\i£b then P else P \ X. 

Assumptions (iv)-(vi) have been introduced for technical reasons, to simplify the pro- 
duction of the semi-symbolic operational semantics. With the exception of assumption (vi), 
they do not reduce expressiveness. 

Assumption (iv) simplifies our treatment of conditionals when working with symbolic 
representations of processes (see Section B~3|) . Observe that the guard of every conditional 
can be expressed using predicates that involve only types other than the distinguished one, 
and predicates that involve only the distinguished type, combined together using conjunc- 
tion and disjunction. The conjunctions and disjunctions can be eliminated using the laws: 

ifP V P' then Q else R = if P then Q else (if P' then Q else R), 

if P A P' then Q else R = if P then (if P' then Q else R) else R. 

Hence any process can be rewritten to satisfy assumption (iv). 

We have introduced assumption (v) as we will later store assignments of values to 
variables explicitly; clashes of variables names could introduce undesirable updates of values 
in such assignments. For example, consider the syntax 

ini$x:t -> (out.x -> STOP □ in 2 $x:t ->■ STOP). 

Then, the value of x that is output using construct out.x should be the value that is 
assigned to variable x at the time the nondeterministic selection on channel in\ is resolved. 
However, unless the output variable x is immediately substituted with the correct value, the 
nondeterministic selection on channel in® can be resolved before the output is performed, 
leading to the value of x being overwritten. Using alpha-conversion, every process definition 
that fails assumption (v) can be easily rewritten into a form that satisfies it. 

Assumption (vi) ensures that values of all outputs of type t have to be previously 
stored within a process's memory. This simplifies the semantics, and does not greatly 
reduce expressiveness. 

Thus, most processes can be rewritten into a form that satisfies Seq. 

3.3. The SeqNorm condition. When working with specification processes, it is desirable 
to ensure their clarity and conformance to a certain standard (normality) to make analyses 
of their behaviours easier. The SeqNorm condition, defined below, achieves this without 
a major expressiveness reduction. Its effect is to remove all nondeterminism whose effect 
is not immediately observable. In particular this condition will allow us to deduce that a 
process reaches a unique state after a particular trace (Proposition 15. 3p . and that a unique 
construct gives rise to each event following a given trace (Proposition 15.51) . 
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Given a sequential, data independent process syntax P, we define Channels(P) to be 
the set of the channel names of the initial constructs of P. Formally, 

Channels (ST OP) = {}, 

Channels (c§iXi:X\ . . . §k%k'-Xk —tP) = {c}, 

Channels(P □ Q) = Channels(P) U Channels(Q), 

Channels(P F\ Q) = Channels(P) U Channels(Q), 

Channels(P > Q) = Channels(P) U Channels(Q), 

Channels(X) = Channels(P), i£E(X) = P. 

Definition 3.5. A process syntax Proc(t) satisfies SeqNorm if it satisfies Seq, and in 
addition for all external choices P(t) □ Q(t), internal choices P(t) n Q(t) and sliding 
choices P(t) > Q(t) within Proc(t) we have that 

• Channels (P(t)) n Channels (Q(t)) = {}, 

• every conditional choice on t in P(t) and Q(t) is after a prefix. 

Our definition of SeqNorm is similar to definitions of Norm used in the CSP litera- 
ture }Ros971 ILaz99j , except that it includes Seq, since we will always use SeqNorm with 
processes that satisfy Seq. 

The first clause does restrict expressiveness. It bans processes such as c\x — > P n 
cly — > Q. This is necessary to ensure that a unique construct gives rise to each event 
(after a given trace), and that a process reaches a unique state after a particular trace; for 
example, without this condition, the above process could perform the event c.O resulting 
from either construct (assuming x and y have value 0), and could reach either state P or Q 
after this event. 

If a particular process syntax fails SeqNorm because of the second subclause of 
clause (iv), then the following algebraic laws can be used to convert it to an equivalent 
process definition, satisfying this subclause: 

P M (if b then Q else R) = if b then (P N Q) else (P N R), 

(if b then Q else R) M P = if b then (Q M P) else (R N P), 

where M is one of □, n or >. 

Thus, most processes can be rewritten into a form that satisfies SeqNorm. (A similar 
observation about the related Norm condition is made in [Ros97t Section 15.2].) Indeed, 
we are not aware of any specification used in practice that cannot. 

3.4. Type symmetry. In Section [3. II we defined the concept of data independence which, 
undoubtedly, is a very useful property for studying parameterised systems [CR981 [RB99, 
CR99, Low04| TRLN04] . However, in practice it turns out to be too strong for the implemen- 
tations we consider, since we study parallel compositions of node processes indexed over the 
parameter. Such compositions are banned by data independence. This is why we define a 
weaker condition, which only requires all behaviours of a given process to be symmetric in 
the parameter. A process syntax satisfies the TypeSym condition if the behaviours of all 
its concretisations are invariant under permutations of values of parameter instantiations. 
Given such a permutation it, we write [[7r]] for the renaming [p'^/e I e G ZJJ. 

Definition 3.6. A process syntax Proc(t) satisfies the condition TypeSym if Proc(T) and 
Proc( T)[[7r]] are bisimilar for every T and every bijection n : T — >■ T. 
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Example 3.7. Consider the process 

COPY(t) = in?x:t -»• outlx -> COPY(t). 

This satisfies TypeSym, informally because it treats all elements of t the same. More 
formally, given an instantiation T of t, and a bijection tt : T — > T, the relevant bisimulation 
is 

{(COPY (t), COPY (t)M)}U 

{(outlv -> COPY(t), (out\-K- l (v) -»• COPF(t))[[vr]]) | u € T}. 

Example 3.8. Consider a system of iV (where N = #T) nodes that communicate using a 
ring topology, where each node i can send messages only to the node (i + 1) mod N. For 
example (rather trivially): 

Mi(t) = sendlili ®1 Afi(t) n sendli elli Afi(t), 

Nodes(t) = \\ i € t • [{send.i.i ®l,send.i Ql.i})] Afi(t), 

where © and represent addition and subtraction mod N. This does not satisfy TypeSym, 
which insists that the process is fully symmetric. For example, if T = {0. .3} then Nodes( T) 
has trace (send. 1.2), but does not have the trace (send. 1.3), so TypeSym does not hold 
for tt = {0 t-> 2, 1 1-> 1, 2 3, 3 i-> 0}. 

Semantic definitions, like Definition 13.61 tend to be hard to check efficiently, so we note 
here sufficient syntactic conditions for TypeSym. 

Proposition 3.9. A process syntax Proc(t) satisfies the condition TypeSym if it uses no 

(i) constants of type t; 

(ii) operations on type t, including polymorphic operations (e.g. tupling or lists); 

(iii) functions whose domains or co-domains involve type t; 

(iv) selections or indexing from sets involving t, unless the selection or indexing is over the 
whole of t, except this restriction does not apply to the alphabets of nodes in a parallel 
composition indexed over t; and 

(v) conditional choices on t, except for equality and inequality tests. 

Note that the process of Example 13.71 satisfies the conditions of this proposition, but the 
process of Example 13.81 does not, because arithmetic operations are applied to type t. 

Proof sketch. Let CSPt be the set of CSP syntaxes parameterised by t, all of whose free 
variables (other that t itself) are of type t and which satisfy the conditions of the proposition. 
We use [T] to denote the syntactic substitution [T(x)/x \ x £ dom(r)] and FV(P(t)) to 
denote the free variables of P(t). Then 

B = {(P(T)[r],(P(T)[^- 1 (r)])W) | P{t) e csp u r e FV(P(t)) -+ t) 

is the required strong bisimulation relation. The proof is a structural induction on P(t). □ 

In practice, most systems where the nodes communicate using a fully connected topology 
satisfy these conditions. In [MoflOj . Moffat proves a very similar result, for a larger fragment 
of the machine-readable CSP language, including the underlying functional language. 

The syntactic definition of data independence (Definition 13. ip comprises a superset of 
the requirements of Proposition I3.9( so we immediately have the following result. 

Corollary 3.10. Every data independent process satisfies TypeSym. 
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Example 3.11. Consider a system built as the parallel composition of node processes Ni(t) 
for each i G t: 

Nodes(t) = || i G t • [A(i, t)] Mi(t). 
This process syntax satisfies TypeSym provided: 

• the node process Ni{t) satisfies the conditions of Proposition 13.91 so in particular it treats 
its "identity" parameter i polymorphically; informally, different nodes need to be identical 
up to renaming of the identities; 

• the alphabet A(i, t) satisfies the conditions of Proposition 13. 9\ so in particular no op- 
erations on type t are applied; informally, the different alphabets depend only on the 
identities i, polymorphically. 

Note, though, that Nodes(t) does not satisfy data independence, since it contains a repli- 
cated operator (parallel composition) that is indexed over t. 

Further, if we define the context Ct[.] that composes its argument with a controller 
process Ctrlt and hides some events: 

C t [X] = (X || Ctrlt) \B t 

At 

then Ct[Nodes(t)] satisfies TypeSym provided: 

• the controller process Ctrlt satisfies the conditions of Proposition [331 informally, it needs 
to treat different nodes in the same way; 

• the sets A t and B t satisfy the conditions of Proposition 13.91 

Recall that this is the type of implementation process that we considered in the Introduction. 
In particular, the example from Section 12.31 meets this pattern. 

Example 3.12. The process □ y.t • c?x:(t \ {y})\y — > STOP satisfies TypeSym. How- 
ever, it does not satisfy the conditions of Proposition 13. 9\ in particular because x is selected 
from a proper subset of t. 

The following remark is a direct consequence of the TypeSym condition. 

Remark 3.13. Suppose that Proc(t) satisfies TypeSym. Then, for all T: 

• If tr G traces(Proc(T)) then for all bijections ir : T — > T, ir(tr) E traces(Proc(T)); 

• If (tr,X) E failures(Proc(T)) then for all bijections Tr : T ->• T, (7r(*r),7rpO) E 
failures(Proc( T)). 

3.5. Equality tests. The syntactic condition PosConjEqT, formulated by Lazic in |LR98, 
Chapter 3], specifies that for a conditional choice with an equality test on t, the positive 
branch is a prefix and the negative branch is simply STOP. In |Ros98, RB99], a weaker 
version of PosConjEqT is discussed, where no restriction on the process in the positive 
branch is in place. Both of these definitions talk about the condition only in relation to the 
traces model, but it is easy to extend it to other models of CSP as the following definition 
shows. 

Definition 3.14. Given a CSP model M we say that a process syntax Proc(t) satisfies 
PosConjEqT^ if for every conditional choice on t of the form 

if cond then P(x\, ...,%) else Q(xi, . . . , 

within Proc(t), we have that 
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• cond is a positive conjunction of equality tests on t (which gives rise to the name of the 
condition), and 

• P(vi, . . . , v k ) Q M Q(vi, ... ,v k ) for all values v 1 , . . . , v k . 

For technical reasons, it will be desirable in our work to assume the opposite condition 
for specifications: that every positive branch of a conditional choice is a refinement of the 
negative branch. This can be viewed as a reversed version of PosConjEqT^. Hence, we 
have the following definition. 

Definition 3.15. Given a CSP model A4 we say that a process syntax Proc(t) satisfies 
RevPosConjEqT_A/f if for every conditional choice on t of the form 

if cond then P(x\, . . . , x k ) else Q(x\, . . . , x k ) 

within Proc(t), we have that 

• cond is a positive conjunction of equality tests on t, and 

• Q(vi, ...,Vk) Qm P(vl, ■ ■ ■ ,v k ) for all values v 1 , . . . v k . 

Whenever A4 is clear from the context, we will simply write RevPosConjEqT. 

Example 3.16. The process syntax 

Proc(t) = in?x:t?y:t?z:t — > if x = y then out.x —> out.y — > STOP 

else out%z -> {out.y -> STOP U STOP) 

satisfies RevPosConjEqTF- However, the process syntax 

Proc(t) = inlx:tly:t — > if x = y then out.x — > STOP 

else out.y — > STOP 

does not satisfy RevPosConjEqTx, because if x and y are two distinct values, then 
out.y STOP £ T out.x STOP. 

Most specification processes that one tends to use in practice do not contain condition- 
als, so vacuously satisfy both PosConjEqT^ and RevPosConjEqT^ for all models M. 
Further, our experience is that many specifications that do contain conditionals satisfy 
RevPosConjEqT^ . 

4. Operational semantics 

The main usefulness of a process algebra (like CSP) comes from the fact that it allows us to 
reason about programs and processes rigorously. In this section we look into the operational 
semantics for CSP. An operational semantics provides a precise step-by-step description of 
how processes execute. It describes state changes as effects of events being performed by 
representing processes using labelled transition systems, defined as follows. 

Definition 4.1. A labelled transition system (LTS) is a tuple C = (S, sq, L, — >), where S 
is a set of states, so £ S is an initial state, L is a set of labels, and — > C S x L x S is a 
transition relation. We let C = S denote the set of states of C. 

In Section 14.11 we give some useful notation and definitions that we will repeatedly use 
throughout the rest of this paper. 

The various operational semantics we present in this paper do not aim to be complete. 
Their main purpose is to formalise the foundations for the results regarding specifications, 
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presented in Section [6l This is why we describe only the minimal operational semantics 
that allow us to generate transition graphs of the processes that we consider in that section. 
We therefore restrict ourselves to processes that satisfy Seq throughout this section. As 
noted above, most CSP specifications one uses in practice lie within this fragment of CSP, 
and others can be rewritten into this form using algebraic laws. We stress, though, that 
implementation processes can be written using the full syntax of CSP. 

Operational semantics can be defined at different levels of abstraction. In Section 14.21 
we present a fairly standard operational semantics at the lowest, implementation level. It 
generates LTSs from process syntax with no free variables. This means that all parameters 
must be substituted with concrete values before the transition rules can be used. When 
variables become bound as the result of inputs or nondeterministic selections, the binding 
is reflected by syntactic substitution. 

We introduce a running example, which we use to illustrate the different styles of 
operational semantics. 

Example 4.2. Let 

P(t) = c$x:{a, b}$y:t?z:t -^\iy = z then dlx ->■ STOP else STOP. 

In Figure [1] we represent the standard operational semantics for P(T) where T = {0,1}. 
We omit part of the semantics because of lack of space. In the figure, we write Q x ,y,z a s 
a shorthand for ify = z then dlx — > STOP else STOP. For compatibility with the later 
semantics, we choose to resolve all non-type-i nondeterministic selections before the type-i 
nondeterministic selections: hence the r transitions from the initial states correspond to 
resolving the "$x:{a, &}" selection, and the r transitions from the subsequent states corre- 
spond to resolving the "$y:t" selection. The transitions labelled with events on channel c 
also have the effect of resolving the subsequent conditional ("if?/ = #..."). 



P(T) 



c\a$y:T?z:T 



c\b$y:T?z:T 

^ Qb,y,z 



c\a\01z:T 

c.a.O.Q. Qafl.z r.a.Q.l 



daW.z-.T 

.0.1.0. QaS.z c . o.l.l 



dla -> STOP 



STOP- 



dla^ STOP 



Figure 1: Operational semantics for P(T) from Example 14.21 with T = {0,1}. 

One of the main shortcomings of such an operational semantics, when working with 
parameterised systems, is the need for repetitive application of the transition rules for each 
instantiation of the parameters: this is reflected in Figure [H where the number of transitions 
depends on the size of T. Lazic addressed this problem in [Laz99| by defining a symbolic 
operational semantics (for a language similar to CSP, but with an addition of certain lambda 
calculus terms), where the variables related to the parameters are never instantiated, but 
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P{t) 




c\a$y:t7z:t 



c\b%y:tlz:t 





a,y,z 





d!o -> STOP 



STOP 



dlb -»■ STOP 



STOP 



d . a 



d.b 



Figure 2: Semi-symbolic operational semantics for P(t) from Example 14.31 

rather left as symbols, when an LTS is generated. The advantage of such an approach is that, 
given a parameterised process syntax, a single symbolic LTS is generated and each of the 
concrete LTSs can be easily obtained from it by an assignment of valuefl Such a symbolic 
LTS can be viewed as a formal structure that captures the essence of the behaviour of a 
process; it hides the details of the data values, concentrating on the control states between 
which a process can move by executing actions. This sort of symbolic structure is precisely 
what we need for our work in Section El However, the assumptions we make about the 
processes with which we work cause the application of Lazic's work to be unnecessarily 
complex for our needs. 

In Section H31 we define Semi-Symbolic Operational Semantics (SSOS), a symbolic op- 
erational semantics similar to the one from [Laz99| . We explain the idea of SSOS via our 
running example. 

Example 4.3. Recall the following process from Example 14.21 

P(t) = c$x:{a, b}$y:t?z:t -^\iy = z then d\x ->■ STOP else STOP. 

In Figure [2] we represent the semi-symbolic operational semantics for P(t). We again write 
Qx,y,z as a shorthand for if y = z then dlx — >■ STOP else STOP. Note that transitions are 
symbolic in that they contain variables corresponding to type-t selections; however, non- 
type- t values are treated concretely. Further, we include transitions corresponding to the 
conditional, labelled with the condition ("?/ = z") and its negation ( tl ->y = z") respectively. 

The states of the resulting semi-symbolic LTSs (SSLTSs) can be viewed as the control 
states of families of concrete processes. In order to fully concretise them, it is enough to pro- 
vide a map of variable names to concrete values; such a map will be called an environment. 
In Section [4.41 we describe Concrete Operational Semantics with Environments (COSE), a 
concrete operational semantics which, for a fixed instantiation of the distinguished type, 
creates LTSs whose states are triples consisting of a symbolic state (or a modification of 
such), an environment giving values to the type-i free variables, and the instantiation of the 
distinguished type. The specification of COSE is provided as a set of translation rules from 
SSOS, rather than a set of transition rules. We illustrate the idea via our running example. 

%n Lazic's work individual concrete LTSs are, in fact, never generated. Instead, the relationships with 
denotational semantics are established and the denotational values are derived directly from symbolic LTSs. 
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(P(t),{}) 





(c\a$y:t? z:t 





c.a.0.0 



(c\a\ylz:t -t Q, 
„ {2/^0}) 



(c\a\y1z:t -t Q a . 



c.a.1.1 




{hM^ o}) 



c.a.1.0 




H+l}) 



(STOP,{}) 




Figure 3: Concrete operational semantics with environments for P(T) with T = {0, 1}. 

Example 4.4. Recall the process P{t) from above. Figure [3] gives the COSE semantics for 
P(T) with T = {0, 1} (strictly speaking, each state should also include T as a third term; 
we omit this due to lack of space). The r transitions from the initial states correspond to 
resolving the "$x:{a, &}" selection; since x is not of type t, the choice of x is reflected by 
syntactic substitution. The r transitions from the subsequent states correspond to resolving 
the selection; the environment stores the resulting value for y. The subsequent 

transitions with events on channel c resolve the u ?z:t" choices; the environment stores the 
resulting value for z. Note also that the operational semantics is strongly bisimilar to the 
semantics in Figure HJ 

We show that the combination of SSOS and the translation rules of COSE is always 
bisimilar to the standard one in Section 14.51 Finally, we define the relationship between 
symbolic traces and concrete traces in Section [4.61 

4.1. General definitions and notation. We present some notation and definitions that 
will often be used in the following sections. Additional pieces of notation and local defini- 
tions will be introduced in the relevant parts of this section. 

We define Value to be the set of all values, and Var to be the set of all variable names; 
we assume Var n Value = {}■ 

Prefix constructs may depend on the distinguished type, so, in theory, they should be 
decorated with parameter t, e.g. Proc(t) = a(t) — > Proc'(t). However, for brevity, we omit 
the parameter (or its instantiation) where it is clear from the context or indifferent. 

For any construct a of the form c§iXi:Xi . . . ^Xk'-X^, we define functions that return 
index sets of variables and values within a, based on their type and the kind of input or 
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output they model: 

$*(a) = {ie{l..k}\§ i = $AX i = t}, 

r on -\a) = {ie{l..k}\§i = $/\X i7 tt}, 

$(a) = $'(a)U$ no "-'(a), 

?*(a) = {i€{l..fc}|§ i = ?AX i = t}, 

?"°™-*(a) = {»€{i.i}|§ i = ?Al 1 ^}, 

?(a) = ?*(a)U? non -*(a) ; 

!*(a) = {« € {1 . . &} | §, = ! A Xj is of type t}, 

\ non -\a) = {i G {1 . . k} | §i = ! A x t is not of type f}, 

!(a) = !*(a)u!"°"-'(a). 

The following functions allow us to modify constructs. Let a = c§iX\:X\ . . . §k x k'-Xk 
and let f be either t or non-t. 

• We define Replace^^(a) to be a construct like a, but where for every % in $t(a) the 
symbol (which must be a $) is replaced by a ! and Xj is replaced by null; 

• Replace§^\ = Replace 1 ^ o Replace^™' 1 '. 

Example 4.5. Let e = c$xi:i?o^:i$X3:X!x4, where X it a type not related to t and X4 is 
some output variable. Then, 

Replace^! (e) = elrciTa^iSasiX!^, 

Replace^ 1 (e) = c$x 1 :t?x 2 :tlx 3 \x 4: , 

Replace$^\{e) = c!a;i?a;2:i!x3!2;4. 

Substitution will play an important role in defining the operational semantics in the 
following sections. We use square brackets to denote substitution: for a variable x and a 
value v, P[v/x] is like P, but with every free occurrence of x replaced with v (here, P can be 
a process, a definition of a set, a definition of a relation, etc). Substitution is different from 
renaming, since renaming is a function or relation from values to values, while substitution 
is a function from variables to values. 

4.2. Standard CSP operational semantics. In this section we present a standard op- 
erational semantics for the fragment of CSP corresponding to Seq, i.e. excluding parallel 
operators, hiding and renaming. (Rules for the remainder of the syntax can be found in, 
e.g., [Ros97] . but we do not need them in this paper.) The operational semantics generates 
LTSs from syntax without free variables. This means that, when dealing with parameterised 
processes, all parameters have to be assigned concrete values before the transitions rules 
can be applied. We let T be a fixed instantiation of type t. 

We distinguish two types of transitions: visible and internal. An internal transition, 
labelled with r, represents an event that can be performed by a process without any in- 
teraction from the environment and which is not observable by the environment. A visible 
transition, on the other hand, is labelled with an event that is observable by the environ- 
ment, and requires its synchronisation in order to be performed. We write P — > Q to 
mean that there is an a-labelled transition from state P to state Q. 
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4.2.1. Transition rules. Most of the transition rules are given in Figured! and are stan- 
dard. We concentrate our discussion on the semantics for prefixing; a slightly non-standard 
treatment is required due to the addition of nondeterministic selections. 



P(T) 



P'(T) 



P(T) □ Q(T) P'(T) □ Q(T) 
P(T) P'(T) 



P{T) □ Q(T) P'(T) 



Q{T)^Q'(T) 



P(T) □ Q(T) P{T) □ Q'(T) 
Q{T) Q'(T) 



P{T) □ Q(T) Q'(T) 



[a? 



P(T) n Q(T) Q(T) 

P(T) P'(T) 

P(T) > Q(T) P'(T) > Q(T) 

E(X) = P 



X(T) 



P(T) 



P(T) n Q(T) P(T) 

P(T)>Q(T)^Q(T) 

P(T) P'(T) 
P(T) > Q(T) P'(T) 

P(T) P'(T) 
if True then P(T) else Q{T) P'{T) 

Q(P) Q'(T) 

if False then P(T) else Q(T) Q'(T) 

Figure 4: Operational semantic rules for the choice operators and binding 

Let a be a construct of the form c§\X\:X\ . . . ^j-Xk-Xj.. In order to define the prefix 
transition rules for the language with nondeterministic selections added in, we proceed in 
two steps. Firstly, we deal with constructs with no nondeterministic selections. 

Prefix Rule 1. (Prefixes with no nondeterministic selections) 

-[ c.v\ ...v^E Comms{a) A #$(a) = 0] 



a. 



P(T) 



C.VX — Vk 



>P{T)[ Vl /x, | i€?(a)] 



where Commsia) is the set of concrete events that a describes; formally: 

Comms(c§\xi:Xx . . . § k x k :X k ) = 

{c. Vl ... v k | V? e {1 .. k} • (§i = ? A Vi e Xt) V (§i = ! A ^ = a*)}. 

The second step involves deriving transitions from prefix constructs with at least one 
nondeterministic selection, producing invisible transitions that resolve the choices, and sub- 
stituting the chosen values for the variables of the choices. For reasons that will become 
clear later, we simultaneously resolve all nondeterministic selections over types other than t 
before simultaneously resolving all nondeterministic selections over type t. 

The following rule resolve all nondeterministic selections over types other than t, replac- 
ing each variable X{ € $ non "*(a) with an appropriate value u, € X{. (Here and subsequently 
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we treat subscripting as functional application, i.e. u» is the result of applying function v to 
index i.) 

Prefix Rule 2a. (Prefixes with nondeterministic selections over non-i types) 
dom(v) = $ non -\a) A Vi 6 $ non "*(a) .«,£!» 



a 



P(T) (Replace^\a) -> P(T)) [v l /x l \ i G $ non -\a)} 



[#$ non -*(a) > 0" 



The following rule then resolve all nondeterministic selections over t, replacing each 
variable x% € $*(a) with an appropriate value V{ G T. 

Prefix Rule 2b. (Prefixes with nondeterministic selections only over type t) 



v £ $*(a) 



#§non-t _ o 

A #$*(a) > 



a -)■ P(T) (i?ep/ace^,(a) -> P(T)) [wj/a* | i e $*(a)] 

The above two rules are consistent with defining a — > P(T) as 

n(x 4 :JQ | * € $ non -'(a)} • (n(a%:T | i € $*(«)) • Replace $ ^(a) -> P(T)) , 
where we use n (zj :Xj | i € 2) • P(xj 1 , . • . , Xi n ) as shorthand for |~1 (x^ , . . . , Xi n ) € x • • • x 

Example 4.6. Recall our earlier running example: 

P(i) = c$x:{a, b}$y:t1 z:t -t if y = z then d!x STOP else STOP. 

Figure [1] represents the operational semantics for P(T) where T = {0,1}. The first r 
transitions correspond to Prefix Rule 2a; the second r transitions correspond to Prefix 
Rule 2b; the visible transitions correspond to Prefix Rule 1. 



4.2.2. Calculating denotational values. It is possible to calculate denotational values of pro- 
cesses without resorting to operational semantics. Such a direct way, using denotational 
semantics, is discussed in |Ros97, Chapter 8]. However, since we will often work with LTSs, 
it makes sense to derive these values directly from transition graphs. Firstly, we need three 
definitions (from [Ros97l Chapter 7]). 

• Given two states P(T) and Q(T), and a sequence of events (visible or invisible) s = 
(ai | i £ {1 . . n}) for some n > 0, we write P(T) i — > Q(T) if there exist states 
P (T) = P(T),Pi(T),. . . ,P„(T) = Q(T) such that for all i in {0 . . n - 1} we have that 

Pl {T)^P l+1 {T). 

• We write P(T) ==>- Q(T) if there is s such that P(T) i — > Q(T) and tr is the restriction 
of s to visible events. 

• We say that Q(T) refuses X, written Q(T) ref X, if Q(T) cannot perform r (i.e. it's 
stable) and cannot perform any event from X: Vi£lU {r} • Q(T) / x > . 

Using the above, we have 

traces(P(T)) = {tr G S* | 3 Q(T) • P(T) Q(T)}, 
failures{P{T)) = {(tr, X) <E S* X S | 3 Q(T) • P(T) ^ Q(T) A Q(T) re/ X}. 
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4.3. Semi-Symbolic Operational Semantics. Symbolic representation of models is of- 
ten used in model checking (sec e.g. [McM92, BCM+92|). In most cases the approach taken 
is to create a single, compact structure that represents the behaviour of multiple instances 
of a given system. The specification check is then performed on the symbolic model in order 
to deduce verification results for all the concretisations this model corresponds to. 

In this section we present a symbolic operational semantics for CSP. Its aim, however, 
is not to be used to perform abstract refinement checking of processes. Given a process 
syntax Proc(t), it generates a single structure, which acts as a bridge between the different 
processes obtained from Proc(t) by substituting different concrete values for the parameter t. 
This will allow us, in Section [61 to use known behaviours of a given instance of the process 
to deduce facts about the behaviours of other instances of the same process definition. In 
our work we will apply this operational semantics only to specification processes. 

One of the main characteristics of the symbolic operational semantics defined in this 
section is that only the parts of systems that involve type t are left in their symbolic 
form. All other components are instantiated in a way similar to that used in the standard 
operational semantics (Section I4.2D . Therefore, the labels of transitions may contain some 
symbolic parts and some concrete parts. This is why we call any resulting transition graph 
a semi-symbolic labelled transition system (SSLTS), and call this operational semantics 
Semi- Symbolic Operational Semantics (SSOS). 

Throughout this section we assume that all processes satisfy Seq. 

4.3.1. Symbolic transitions. In order to be able to tell symbolic and standard transitions 
apart, the symbolic transition relation is denoted by — > s , i.e. P(t) — > s Q(t) denotes that 
there is an a-labelled transition from symbolic state P(t) to symbolic state Q(t). 
We distinguish the following three types of symbolic transitions. 

Internal: The internal symbolic transitions, labelled r, are in a direct correspondence with 
the standard internal transitions. 

Visible: Visible symbolic transitions are similar to standard visible transitions. The main 
difference is that while the labels of standard visible transitions contain no input symbols 
and no variables, labels of visible symbolic transitions may contain nondeterministic 
selections of type t (e.g. $x:t), deterministic inputs of type t (e.g. ?x:t), outputs of type 
t (e.g. \x, where x is a variable of type t), or outputs of non-£ parts (e.g. \v where v is a 
value not of type t). 

Formally, each visible symbolic transition is labelled with a visible symbolic event, a 
construct of the form c§iX\:Xi . . . ^Xk-X^, where 

• c is a channel name, 

• §i G {$,?, !} is an input/output symbol, 

• Xi is a variable of type t or a value of type other than t; it can be a value only if it is 
immediately preceded by the output symbol !, 

• Xi is t if and only if the preceding input/output symbol, §j, is either $ or ?; otherwise 
it is null. 

For example, the process c\a?x:t$y:t — > STOP has an initial symbolic transition with 
label c\alx:t%y:t. We let Visible denote the set of all visible symbolic events. 
Conditional: Since variables of type t are not instantiated within SSLTSs, but left in their 
symbolic form, boolean conditions that contain such variables cannot, in general, be 
evaluated to either True or False at the time of generating a symbolic transition graph. 
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Hence, in order to deal with processes with such conditional choices involving variables 
of type t, we introduce conditional symbolic transitions. Each such transition is labelled 
with a conditional symbolic event, a boolean expression obtained from the guard of a 
conditional choice on t or its negation. For example, the syntax "if x = y then P else Q" 
gives raise to the conditional symbolic events a x = y" and "-12; = y" . We let Cond 
denote the set of conditional symbolic events. Without loss of generality, we assume that 
the process syntax contains no trivial condition such as x — x . 

Remark 4.7. If e is a visible symbolic event, then $ non ~ t (e) = ? ncm - i ( e ) = {}. 

We will usually use a and its derivatives (a',ai, etc.) to denote labels whose kind is 
unknown or indifferent and e and its derivatives (e', e±, etc.) to denote visible symbolic 
events. 



4.3.2. Transitions rules. We define the Semi-Symbolic Operational Semantics using the in- 
ference rules below. Recall that we are considering only processes that satisfy Seq; therefore, 
we only provide transition rules for operators that the condition allows. 

We begin with prefixing. Let a be a construct of the form c$\X\:X\ . . . § k x k :X k . There 
are two transition rules for prefix. The first one defines the initial symbolic events of 
a — > P(t) in the case when a contains no nondeterministic selections over types other than t. 
It is similar to Prefix Rule 1 from the standard operational semantics (see Section [4.2.ip . 
except that variables of type t are left in their symbolic form when a transition label is 
obtained from a, so only deterministic selections over types other than t are resolved. 

Symbolic Prefix Rule 1. 

"e = c%' l x[:X[ . . . %' k x' k :X' k G Comms non -\a) ' 

a — > P(t) — — -s-s P{i)\x[/xi \ % G ? non ~ t (a)] [ A #$ non ~ i (a) = 

where Comms non ~ t {a) is the set of events that a describes (under the assumption that a 
contains no nondeterministic selections over types other than t), with the parts involving 
type t left in their symbolic form; formally: 

Comm S ™ "-*(c§ 1 xi:X 1 . . . % k x k :X k ) = 

{c%' 1 x[:X[...%' k x' k :X' k |V*£{1..A}« 

§ s = ? a X, ^ t A % = ! A x[ G X t A X[ = null 

V §* = §'i G {$, ?} A X[ = X, = t A x[ = Xl 

V h = §i = ! A X[ = X, A x[ = x^. 



The second transition rule of prefix deals with prefixes that contain at least one non- 
deterministic selection over a type other than t. It is similar to Prefix Rule 2a from the 
standard operational semantics (see Section HT2J]) . All the nondeterministic selections over 
types other than t are resolved simultaneously, the act of which generates a single r tran- 
sition. The values Vi chosen are substituted for the variables X{ of the selections. 

Symbolic Prefix Rule 2. 

dom(v) = $ non -\a) A Vi G $ non "*(a) • v ( G X { 



[a 



v I D„„; „ „„non-t/ _ n . nz-jN^i r_. / I ■ s^nnrt.-t/ _ M L" 



P{t)) ^ s {Replace^; 1 (a) -> P(t)) \v l jx l \ i G % non -\a)\ 
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' P ' U) [a € CondU {r}] 



P(t) □ Q(t) ^ s P'(t) □ Q{t) 

Q(t) -^s Q'(t) 
P(t) □ Q(t) ^ s P(t) □ Q'{t) 



-[a G CondU {t}] 



^ ^ P ' {t) -[e g Q(O^W) [e € Visible 



P(t) □ Q(t) ^ P'(t) P(t) □ Q(i) ^ Q'(t) 



P(t) n Q(i) ^ s P(t) P(t) n ^ s Q(t 

P(t) -±>„ P'(t) 



P(t) > Q(i) Q(i) P(i) > Q(t) ^ s P'(t) > Q(i) 



[a G CondU {r} 



P(t)>Q(t)^ s P'(t) ' X(t)^ s P(t) 

Figure 5: Semi-symbolic operational semantics rules for external, internal and sliding choice, 
and for binding 

The transition rules for external, internal and sliding choice and for binding are very 
similar to the standard rules, and are given in Figured One exception is the presence of con- 
ditional symbolic transitions, which need to be taken into considerations here. Conditional 
choices must be resolved without any other influence on the overall state of the system, 
which means that the members of Cond must be promoted by the □ and t> operators in the 
same way r's are. 

Clause (iv) of the definition of Seq (Definition I3.4j) implies that guards of conditional 
choices may not contain both variables of type t and variables of non-i types. The truth 
of any boolean condition that contains no variables of type t (i.e. every conditional not in 
Cond) can be fully evaluated at the time of SSLTS generation. Hence we have the following 
rules, similar to the standard rules. 

P(t) P'(t) Q(t) ^ s Q'(t) 



if True then P(t) else Q(t) P'(t) if False then P(t) else Q{t) ^ s Q'{t) 

Every conditional choice with a boolean condition cond that involves type t (i.e. every 
conditional in Cond) may either evolve to the positive branch by following a conditional 
transition labelled with cond or it may evolve to the negative branch by following a condi- 
tional transition labelled with the negation of cond. 

[cond G Cone?] 

if cond then P(t) else Q(t) P{t) 
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-^—^ [cond € Conal\ 

if cond then P(t) else Q(t) ) s Q(t) 

Example 4.8. Recall our running example: 

P{t) = c$x:{a, b}%y:tl z:t iiy = z then d\x ->■ STOP else STOP. 

Figure [2] represents the semi-symbolic operational semantics for P(t). The r transitions 
correspond to Symbolic Prefix Rule 2; the visible transitions correspond to Symbolic Prefix 
Rule 1. 

4.3.3. Symbolic traces. Symbolic traces will play a vital role in the analysis of behaviour 
of process families based on SSOS. They are similar to ordinary CSP traces (Section l2.2p . 
except they contain visible symbolic events instead of ordinary visible events, and may 
contain both conditional and r symbolic events. 

Formally, we define a symbolic trace as follows. Let S = (S, sq, L, — > s ) be the SSLTS 
obtained by applying the SSOS to process syntax Proc(t). Given two symbolic states P(t) 
and Q(t) in S and a sequence of symbolic events a = (a, | i € {1 . . n}), we write P(t) i — > s 
Q(t) to mean that there exist symbolic states Po(t) = P(t), Pi(t), . . . ,P n (t) = Q(t) such 
that for all i in {0 . . n — 1} Pi(t) ' +1 > s Pj+i(i); a is called a symbolic trace of P(t). 
Therefore, a symbolic trace of Proc(t) is a sequence of labels of symbolic events that form 
a path, starting at so, through S. We let SymbolicTraces(Proc(t)) denote the set of all 
symbolic traces of Proc(t). Observe that symbolic traces are quite different from standard 
traces as they may contain symbolic r events and conditional symbolic events, while ordinary 
traces contain only visible events. In Section 14.61 we will study the relationship between 
symbolic and concrete traces in more detail. We will usually use a, p and their derivatives 
(o~',px, etc.) to denote symbolic traces. 

In Section [6] we will work with symbolic traces that are "similar" in the sense that their 
restrictions to conditional and visible symbolic events are identical. 

Definition 4.9. Let a and a' be two symbolic traces. Then a and a are non-r equivalent, 
written a = non - r a', if a \ {r} = a' \ {r}. 

4.4. Concrete Operational Semantics with Environments. So far we have presented 
a concrete and a semi-symbolic operational semantics for CSP (see Section 14.21 and Sec- 
tion H31 respectively). In this section we present a concrete operational semantics which 
joins the two together. We call it Concrete Operational Semantics with Environments 
(COSE). The states of an SSLTS correspond to the control states of a given process. In 
order to link the symbolic and concrete states (where the latter contain information not only 
about program state, but also about data of type t) we need a mechanism for introducing 
concrete values into symbolic states. We do this through the use of environments. The en- 
vironments defined in this section are different from the environment with which processes 
communicate, or the global map E of identifiers to process definitions that we introduced in 
Section f2. II Intuitively, environments map free variables within process syntaxes to concrete 
values that were previously bound to such variables through inputs. 

Definition 4.10. Let Env(t) = Var -+> t. Then an environment is a partial function 
r € Env(T) for some instantiation T of type t. 
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For later convenience, we adopt the notational convention that for all v in Value, 
T(v) = v. We lift the application of environments to various structures that we use (con- 
structs, processes, sets, relations, etc.) in the natural way: if X( T) is such a structure and 
r is in Env(T), then T(X(T)) is a structure like X(T) but with every free variable x of 
type t replaced by T(x) (assuming x is in dom(r)). In particular, given a process definition 
P(t) we define the syntactic substitution 

P(t)[T] = P(t)[T(x)/x | x e dom(r)]. 

Note that for all environments T, all symbolic events a, and f £ {t,non-t}, we have 
that $ f (r(a)) = $t( a ) and ? t (r(a)) = ?t(a), which means that $(T(a)) = $(a) and 
?(r(a)) = ?(a). 

Let T and T' be two instantiations of type t. Then, given a function / : T —¥ T' and 
an environment V in Env(T), we define 

f(T) = {x^f(v)\T(x) = v}. 

Observe that f(T) is an environment in Env(T'). 

The states of the LTS C that COSE generates from a given process syntax Proc(t) are 
configurations (P(t),T, T), where: 

• P{t) is a symbolic state, equal to or slightly modified from a state of the SSLTS S of 

Proc(t), 

• r is an environment in Env(T), and 

• T is a concrete instantiation of type t. 

Note that the inclusion of the type instantiation as the third element of a configura- 
tion means that each choice of T gives rise to a different LTS. Whenever the concrete 
type T is clear from the context or indifferent, we omit it from the configurations and use 
pairs (P(t),T). 

The initial state of C is defined to be the configuration {Po(t),{}, T), where Po(t) is 
the initial state of <S; we sometimes abbreviate this as Pq(T). To emphasise the fact that 
COSE is a concrete operational semantics we denote the transition relation using the same 
symbol ( — >) that we used in Section H~2l 

We treat two configurations as identical if they describe exactly the same process. 
Formally, (P(t),T, T) = (-?*(*), F, T') if and only if P{t)[V] = a P'(t)[T'} and T = T , where 
= Q denotes operational semantics alpha-equivalence, i.e. equality of operational semantics 
modulo renaming of bound variables. 

Remark 4.11. Observe tha10 P(t)[T] = P(t)[FV(P(t)) < T] for all symbolic states P{t) 
and all environments T, where FV(P(t)) denotes the free variables of P{t). Therefore, con- 
figurations (P(t),T, T) and (P (t) , FV (P (t)) <T, T) are identical. From now on we always 
assume environment minimality within configurations, which we achieve by restricting the 
environment V of every configuration (P(t),T, T) to the free variables of P(t). 



'S < F denotes F restricted to domain S, i.e. {x h-> y | (x H» y) G T A x g S}. 
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4.4.1. Translation rules. We present the specification of COSE using translation rules that 
translate transitions within SSLTSs into corresponding COSE transitions. Let T be a fixed 
instantiation of the distinguished type parameter t. 

Given a symbolic state P(t), we let Q(t) = Replace\^{c,P{t)) be a symbolic state 
like P(t), except every transition from P(t) labelled with a visible symbolic transition e on 
channel c is replaced with an identical transition in Q(t), but labelled with Replace^, (e) 

R&plcbCG \ ) 

instead, i.e. if P{t) P'(t) then Q(t) P'{t). We will see later (Proposi- 

tion [53]) that all such transitions over c result from the same construct. 

Visible symbolic events that contain a nondeterministic selection over type t are trans- 
lated into two concrete events: a r that resolves the nondeterminism; and a subsequent 
visible event. The first translation rule shows how the t is produced; for each nondetermin- 
istically chosen variable X{ in the symbolic event, the environment is updated to map X{ to 
some value Uj, and the nondeterministic choice in the subsequent symbolic event is replaced 
by an output (to be dealt with later). 



Translation Rule 1. 

P(t) ^ s Q(t) 

e = c§xx\:Xi . . . §kXk'-X k Ave $*(e) 



-[#$*(€) >o; 



(P(t),T, T)^{Replace t % ^{c,P{t)),T®{x l ^v l \ i G $ (e)}, T) 

Clause (v) of the definition of Seq (Definition [33]) implies that there is never a clash between 
a nondeterministic input variable of type t from one branch of an external or sliding choice 
and a free variable present in the other branch. Without this assumption, Translation 
Rule 1 could produce wrong answers, as demonstrated by the following example. 

Example 4.12. Let Proc(t) = c x lx:t -> (c 2 $x:t?y:t -> STOP □ c x \x -> STOP) and 
T = {0, 1}. Then, after performing c±.0 and a r resolving the nondeterministic selection by 
choosing x = 1, the configuration (Proc(t),{}, T) evolves to (c2\x?y:t — > STOP □ c\\x — > 
STOP, {x i— > 1}, T). Then, by Translation Rule 2 (see below), the event c\.l is available, 
which clearly should not be the case. 

Next, we show how visible symbolic events that contain no nondeterministic selections 
of type t get instantiated into concrete visible events by substituting values from the envi- 
ronment for all the outputs of type t and choosing the values of all deterministic inputs of 
type t. 

Translation Rule 2. 

P{t) Q{t) 
e = c§iXi:Xi . . . § k Xk--X k 
dom(v) = {1 .. k} A (Vi € ?*(e) • Vi G T) A Vt G !(e) • v { =T{xi 



(p(t),r, t) (Q(0,r e ^ Vi | i g ? 4 (6)}, r) 

Example 4.13. Recall our running example 

P{t) = c$x:{a, b}$y:t?z:t ify = z then dlx —> STOP else STOP 
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whose SSOS semantics appear in Figure El In particular, consider the transition 

c\a$y:t1z:t ->■ Q a , y>z c -±Jtl ±1 > g Q a y z . (4.1) 

Translation Rule 1 implies that configuration (c\a$y:t?z:t — > Q a ,y,z, { }, T), with T = 
{0, 1}, can do a r and become either of 

confo = (Replacel^(c, c\a$y:t?z:t -> Q a , y , z ), {y ^ 0}, T), 

confi = (Replace^ ,(c, c\a$y:t?z:t ->■ Q a , y ,z), {y ^ 1}, 

Now, from f)4. 1[) and the definition of Replace: 

Replace $ ^(c, daty.tl z:t -t Q a , y , z ) > s <3a,y, z - 

Hence, using Translation Rule 2, we can deduce 

COn/o C ffl '° ° > {Qa,y,z, {l/^O^H 0}, T), 

COn/o C ' a ' 0,1 > (Qa,y,z, {v ^ 0, 2 (->• 1}, T); 

and similarly for confi. (In Figure El the process Replace^) (c, c\a$y:t?z:t — >■ Q a ,y,z) is 
written as c\a\y:tl z:t — > Q ay z , for convenience.) 

Remark 4.14. We can combine Translation Rules 1 and 2 to deduce that if 
P(i) Q{t) A e = c§ix 1 :Xi . . . § fc x fe :X fe A 

dom(w) = {1 .. k} A (V* G $*(e) U?*(e) • w, G T) A Vi € !(e) • % = r(jEj), 

then 

(p(i),r,T) [j^j^^j^ (Q(i),re{x 8 ^ V4 MG$*(e)u?*(6)},r), 

where [ — >•] denotes an optional r transition, present if and only if #$*(e) > 0. 

The next translation rule says that when a concrete LTS is obtained from an SSLTS, 
symbolic r transitions are turned into standard t transitions. 

Translation Rule 3. 

Pit) ^ s Q(t) 



(P(t),T, T)^(Q(t),T, T) 



The final translation rule shows how conditional symbolic transitions disappear when 
an SSLTS is instantiated into a concrete LTS using COSE; the labels are evaluated in the 
environment, affecting the availability of the subsequent transitions. 



Translation Rule 4- 

P(t) ^ s Q(t) 
(Q(t),T, T)-^(R(t),T',T) 
(P(t),T, T)^(R(t),T',T) 

where [[condjr denotes the truth value of the proposition obtained from cond by substi- 
tuting all free variables of type t with their corresponding values contained within the 
environment T. Note that if (Q(t),T, T) is deadlocked, then so is (P(t),T, T). 



[ cond G Cond A [[cone?]] 



r 
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Example 4.15. Recall our running example 

P{t) = c%x:{a,b}%y:tlz:t — ► if j/ = z then dlx -> STOP else STOP 

whose SSOS semantics appear in Figure [2 The COSE semantics is given in Figure [3j 
The initial r-transitions follow from Translation Rule 3. The subsequent r-transitions and 
transitions with events on c were explained in Example 14. 131 The left-hand final transition 
with event d.a follows from Translation Rule 4, noting that \y = z^^^q^^qx, an d using 

the fact that (d\a -> STOP, {y H> 0, z 0}, T) ^4 STOP, by Translation Rule 2; other 
transitions on d follow similarly. 

4.5. Congruence of COSE to the standard operational semantics. We will often 
work with concrete LTSs generated by COSE rather than by the standard operational 
semantics. It is therefore important that the two operational semantics are congruent so 
that any denotational values extracted from them are identical. The following theorem 
proves such a congruence. 

Theorem 4.16. (Congruence of COSE to the standard operational semantics.) 

Suppose that Proc(t) is some process syntax that satisfies Seq. Let L\ and Li be the LTSs 
generated from Proc(t), for some fixed instantiation T of type t, using COSE and the 
standard operational semantics, respectively. Then C\ and C2 are strongly bisimilar. 

Proof sketch. By showing that 

B = {((P{t),T),P{T)[T])\{P(t),T)eC 1 f\P{T)[T]eC 2 }. 

is a strong bisimulation relation between t\ and £2 (the states of C\ and C2), using struc- 
tural induction on P(t). □ 

One implication of Theorem 14. 161 is the fact that we can express denotational values of 
configurations of LTSs obtained using COSE in terms of the denotational values calculated 
from states of LTSs generated using standard operational semantics; so: 

traces(Proc(t),T, T) = traces(Proc(T)[T]), 

failures(Proc(t),T, T) = failures(Proc(T)[T}), 

for every process syntax Proc(t), instantiation T of t and environment T in Env(T). 

4.6. Relating symbolic and concrete traces. In this section we define what it means for 
a concrete trace to be an instantiation of a symbolic trace. We do this by using a ternary 
relation generates that links symbolic traces (Section I4.3.3p . environments and concrete 
traces. The environments are included in the relation, since, in order to relate a symbolic 
trace to a concrete trace, concrete values need to be substituted for the free variables that 
can occur within the symbolic trace; these concrete values come from environments. 

Given a process syntax Proc(t) and an instantiation T of type t, we define a rela- 
tion generates written using infix notation: a generatesp tr, for a symbolic trace a, an 
environment T and a concrete trace tr: 

(i) () generates r (), 

(ii) a generatesp tr 44> (t)V generates r tr, 

(iii) a generatesp tr A [[conc?]]r O (cond)V generatesp tr, 
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(iv) e G Instsr(e) A a generates r@Match{t,e) t r ^ ( e Y (J generates r {e)"tr, 
where Instsr(e) gives all instantiations of e consistent with T, and Match(e, e) gives 
the extension to the environment caused by instantiating e with e; let e be of the form 
c§txr.Xi . . . l k x k :X k , and recall that, by RemarkES $ non "'(e) = ? no "-*(e) = {}: 

Jnstsr(e) = {cv x . . . v k | Vi G $*(e) U ?*(e) • Vi G T A Vz G !(e) • Vi = T(xi)}, 
Match(e, c.vi . . . v k ) = {xi i-» | i G $*(e) U ?*(e)}. 

Observe that rule (ii) indicates that we essentially ignore any r's present in the symbolic 
traces. For brevity we write a, a' generates r tr to mean that both a generates r tr and 
a' generates r tr. 

Using the above definition we can describe what it means for a (concrete) visible event 
to match a visible symbolic event. In the following definition we treat two concrete events 
as essentially different if they are available after different traces. 

Definition 4.17. A visible event e that is available in Proc(T) immediately after a trace tr 
matches a visible symbolic event e if there exists a symbolic trace a such that <r"(e) is in 
SymbolicTraces(Proc(t)) and cr"(e) generates^ tr'(e). 




In this section we present a series of regularity results that are consequences of the Seq- 
Norm condition. These results show that specifications exhibit certain clarity in their 
behaviour. Our main findings can be summarised as follows: 

(1) There is no ambiguity about what configuration a process reaches after performing a 
sequence of concrete events that does not end with an internal event (Proposition 15.3( 1: 

(2) There is no ambiguity which construct gives rise to a given concrete event that is 
available after a given trace (Proposition 15.51) : and 

(3) Every event available in a process syntax instantiated with a collapsed type is also an 
event available in the same process syntax instantiated with the uncollapsed type, and 
the target configurations are the same except for the underlying type (Proposition [5/7]) . 

Regularity results will play a vital role in proving the main theorems of the type reduction 
theory. 

In Section [4.61 we defined what it means for a concrete visible event to match a visible 
symbolic event. In the following sections we will often need to relate concrete and sym- 
bolic visible events and syntax constructs that give rise to them. The following definition 
establishes such relationships formally. 

Definition 5.1. Given a sequential process syntax Proc(t), let ati,ai2,-- - be the prefix 
constructs of Proc(t) (where two prefix constructs are regarded as different if they appear 
in different places in Proc(t)). Let T be a given instantiation of type t. Then, for every 
pair of a trace tr and a visible event e such that tr'(e) is a trace of Proc(T), there must be 
at least one aj that gives rise to e immediately after tr. We then say that Oj is matched 
by e (or that e matches a{). We define visible symbolic events to match syntax constructs 
in an analogous way. 




5. Regularity results 



Example 5.2. Let 



Pit) 



clx:t -> STOP □ c%x:t -> c.x -> STOP. 
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Then, for T = {0, 1}, given trace tr = (), the event e = c.l matches both the constructs 
clx:t and c$x:t, but not c.x (as c.x may give rise to c.l, but only after the trace (c.l) and 
not the empty trace). 

Note that the process in the above example does not satisfy SeqNorm. We will show (in 
Proposition 15 . 5|) that for processes that do satisfy SeqNorm, each event (after a given 
trace) matches a unique construct. 

An important property of normality is the lack of ambiguity about what state a process 
reaches after performing a sequence of visible concrete events not followed by a r. The 
following proposition establishes this formally. 

Proposition 5.3. Suppose that Proc(t) satisfies SeqNorm. Suppose further that 

(Proc(t),T mU )^(P(t),T) and (Proc(t), T mit ) A (Q(t), V), 
where s, s' do not end with a t, and s \ r = s' \ r. Then P(t) = Q(t) and V = V . 

Further, SeqNorm implies that every two symbolic traces that give rise to the same 
concrete trace, and are either the empty symbolic trace or both end in a visible symbolic 
event, are identical up to internal actions. 

Proposition 5.4. Suppose that Proc(t) satisfies SeqNorm. Then, if a, a' are symbolic 
traces of Proc(t) such that a generatesp tr and a' generatesp tr, and either a = a' = () 
or both a and a' end in a visible symbolic event, then a = non . T a' . 

For a process that satisfies SeqNorm, for each visible event that is performed after a 
given trace, there is never any ambiguity what construct this event matches. 

Proposition 5.5. Suppose that Proc(t) satisfies SeqNorm. Then, if tr'{e) is a trace 
of (Proc(t),T, T) for some type T and some environment V, and e matches constructs a 
and a' , then a = a' . 

The following lemma compares corresponding constructs in two processes, one of which 
refines the other. 

Lemma 5.6. Suppose that P(t) and Q(t) satisfy SeqNorm. Let T be an instantiation 
of type t. Suppose that {Q(t),Ti n it, T) (P(t),Ti n it, T). Then for all visible symbolic 
events e, e' , symbolic traces a, a' and traces tr such that: 

(i) tr'(e) e traces(P(t),T ini t, T); 

(ii) a\e) € SymbolicTraces(P(t)) generates r . tr\e); and 

(iii) cr'"{e') € SymbolicTraces(Q(t)) generatesp. tr'(e); 
we have that !(e') C 1(e). 

The following proposition and its corollary form our final consequence of SeqNorm. 
The proposition says that every event available in a process syntax instantiated with some 
type is also an event available in the same process syntax instantiated with a larger type. 
In addition, the target configurations are the same (except for the underlying type). Corol- 
lary [5]8] then extends this observation to traces. 

Proposition 5.7. Suppose that Proc(t) satisfies SeqNorm. Let T and T be instantiations 
of type t such that T C T and let T be an environment in Env(T). Then, if 

(Proc(t),T,f) (Proc'(t),r',f) (5.1) 
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then 

(Proc(t),T,T) (Proc'(t),T',T). 

Corollary 5.8. Suppose that Proc(t) satisfies SeqNorm. Let T and T be instantiations 
of type T such that T C T. Then, if 

(Proc(t),T,f) (Proc'(t),T',f), 

then 

(Proc{t),T,T) ^ {Proc{t)X ,T). 

6. Type reduction theory 

Recall that given an instantiation T of type t and a non- negative integer B, we defined 
(Definition If ,ip a B-collapsing function to be a function from T to {0 . . B} such that 

• 4>(v) = v for all v in {0 . . B — 1}; 

• cj){v) = B for all v in {B . . #T - 1}. 

In other words, (j) replaces all but a fixed finite number of members of t by a single value. 
Whenever B is clear from context, we call (j> a collapsing function. 

As described in the Introduction, our aim is develop a type reduction theory, to show 

that 

Spec(T) C c/>(Impl(T)) implies that Spec(T) C Impl(T), (6.1) 
for all T such that T D T, where : T — > T is a collapsing function 

The use of parameters in specifications and/or implementations leads to the problem 
of having to decide infinitely many refinements in order to deduce the answer to a verifica- 
tion problem. Our technique of using collapsing functions treats some values of type t as 
essentially identical. 

Our two main results, Theorem 16.51 and Theorem 16.131 prove (|6.ip in the traces and 
stable failures models, respectively. They require suitable assumptions on Spec (including 
SeqNorm) and Impl (that it is symmetric in t); they give a lower bound on the size of T 
based on the syntax of Spec. 

A significant part of this section is devoted to showing how certain behaviours (either 
in the traces or the stable failures model) of specifications instantiated with uncollapsed 
types can be inferred from known behaviours of the same specification instantiated with 
reduced types (justifying the name of our theory). 

We present and prove type reduction theorems for both the traces and the stable fail- 
ures models in Sections 16.11 and 16.21 respectively. Proofs of some subsidiary results are in 
Appendix [Bj 

First, we lift <p to various settings. Given a boolean condition cond, we define <p(cond) 
to be like cond, except that every value or variable x of type t is replaced by 4>(x). We 
adopt the notational convention that if x is a value or a variable of a type other than t or 
it is a type other than t, then 4>{x) = x. 

We lift the application of <fi to other common objects used in this paper in the natural 
way (see Table [1]). 
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Object 


Application 


Meaning 


event 


4>(c.vi ...v k ) 


c.<p{vi) . . . (f)(v k ) 


set /type 


<P(S) 


{<p(x) | x G S} 


trace 


<P(tr) 


(0(e) e <r- tr) 


environment 


m 


{x I—?- (j){v) T(x) = v} 


process 


HP) 


" Pf^/e | e G E] 



Table 1: Lifting the definition of (p. 



L («) = 



Finally, given an instantiation T of type t, a -B-collapsing function 0, and a value v in 
{0 . . B}, we define 

{V G T | <£(«') = w}, if « G{0..5}, 
{v}, otherwise. 

Also, given T, we lift the definition of to events: 

(j)' 1 (c.v 1 ...v k ) = {c.v[ . . . v' k I Vi G {1 . . • vl G _1 (^)}, 

and to sets of events: 

^(5) = [j{<p- 1 (e)\eeS}. 



6.1. Threshold results for the traces model. In this section we present the main results 
of our type reduction theory for use within the traces model. 

We begin with a proposition that establishes that, provided Proc(t) satisfies SeqNorm 
and RevPosConjEqT T and given a collapsing function (f>, if 

• tr is a trace of (Proc(t),Ti n i t , T) (for some sufficiently large T), 

• 4>(try(e) is a trace of (Proc(t) , <fi(T ma) , T), and 

• e does not have outputs of type t from outside of {0 . . B — 1}, 

then every event that is like e, except with arbitrary values of inputs of type t, is in 
initials(Proc(t),Ti n it, T)/tr). In both the statement and the proof of this proposition we 
take the underlying type of all configurations to be the fixed type T. 

Proposition 6.1. Let B be some natural number. Suppose that 

• Proc(t) satisfies SeqNorm and RevPosConjEqT T ; 

• (j) is a B-collapsing function; and 

• T is an instantiation of type t of size at least B + 1. 

Suppose further that 

(i) tr €traces(Proc(t),T ini t); 

(ii) cj)(tr)"(e) G traces(Proc(t), 4>(Ti n i t )) with e = c.v\ . . . v k ; 

(iii) o-\e) G SymbolicTraces(Proc(t)) and a "(e) generates </,(r init ) 0(^ r )"( e ); where e is a 
visible symbolic event of the form c§i£i:Xl . . . ^Xk'-X^; and 

(iv) V* G !*(e) •v i e{0..B-l}. 
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TherE 

Vu' G {1 .. k} ->■ FaZue | (Vi G $*(e)U?*(e) • G T) A (V» G !(e) • = «j) • 
tr'(c.v[ ...v' k ) G traces(Proc(t),T init ). 

Proof sketch. By a structural induction on Proc(t). The details are in Appendix IB, 11 □ 

The following example illustrates some aspects of Proposition 16.11 

Example 6.2. Let 

Proc(t) = c\x$y:t?z:t —?-\fy = z then dlx — > STOP else d$w:t — > STOP. 

Note in particular that Proc(t) satisfies RevPosConjEqT T . Let T = {0, 1, 2}, 5 = 1 and 
let (j> be the appropriate 1-collapsing function. We consider four instances. 

(1) Let Ti n n{x) = 0, tr = (), e = c. 0.1.2, cr = () and e = c!a;$y:£?z:i. It is easy to check 
that conditions (i)-(iv) of the proposition hold. The proposition then implies 

Vu2>^3 G T • (c.O.v^.v^) G traces (Proc(t),Ti n it), 

which is clearly true. 

(2) Now suppose Ti n a(x) = 2 and again tr = () and e = c\x$y:tl z:t. Then condition (ii) 
implies e is of the form cA.v2.v2, for some i>2, U3. But now condition (iv) does not hold, 
so no conclusion can be reached from the proposition; and indeed traces (Proc(t),Ti n i t ) 
does not include traces of the form (cl.U2.U3). Condition (iv) ensures that all the values 
Vi for i G !(e) are not collapsed within (j}{tr)"{e). 

(3) Now consider Ti n u(x) = 0, tr = (c. 0.0.2), so <p(tr) = (c.0.0.1), and e = d.2, a = 
(c\x$y:t?z:t,-iy = z) and e = d$w:t. It is easy to check that conditions (i)-(iv) of the 
proposition hold. The proposition then implies 

VfjJ G T • (c.0.0.2, d.v[) G traces (Proc(t),Ti n i t ), 

which is clearly true, since the process reaches the "else" branch after (c.0.0.2). 

(4) Now suppose tr = (c.0.1.2), so 4>(tr) = (c. 0.1.1), and e = d.0, a = (c\x$y:t? z:t, y = z) 
and e = dlx. It is easy to check that conditions (i)-(iv) of the proposition hold. The 
proposition then implies 

(c.0.1.2, d.0) G traces(Proc(t),Ti n it), 

which is clearly true. This case shows the importance of RevPosConjEqT T : the 
"else" branch must be able to perform (at least) the same events as the "then" branch. 

We will need the following definition in order to define our threshold. 

Definition 6.3. We say that visible symbolic events e and e' are non-t equivalent, written 
e =non-t e', if they agree on all the fields not of type t. For example, clalt: T = n0 n-t c\a$t: T, 
but c\alt:T # 

non-t c\b?t:T where a and b are not of type t. 
We lift the relation to sequences of visible symbolic events by pointwise application. 
Finally we say that symbolic traces a and a' are non-i equivalent, written a = non -t a' , 
if their restrictions to visible symbolic events are non-i equivalent. 

The following function returns the indices of all output variables of type t in all con- 
structs of P(t) corresponding to a symbolic trace that is non-t equivalent to o~"{e). 

! V, e)(P(t)) = \J{l\e') I a'V) G SymbolicTraces(P(t)) A a (e) = non . t a'^e')}. 
6 The notation Vx e X \ P(x) • Q(x) is equivalent to \l x £ X • P(x) Q(x). 
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Example 6.4. Consider 

P(t) = inlx:tly:tlz:t -> 

ifx = y then (if x = z then STOP else out\x%w:t — > STOP) 

else (if x = z then out$w:t\y — > STOP else out$v:t$w:t — > STOP). 

Then \ t ((in?x:t?y:t'?z:t,—>x = y,~>x = z), out$v:t$w:t)(P(t)) = {1,2}, since all the con- 
structs using ou£ can be reached on a trace that is non-£ equivalent to (in?x:t?y:t?z:t, 
->x = y, ->x = z, out$v:t$w:t). 
Now consider 

Q(t) = inlx:{a, b}li:t — >■ if x = a then c?j:t\i — >• STOP else cW?j:t — >• STOP, 

where a and & are not of type i. Then !*((in!a?£:i), clj:t\i){Q{t)) = {2}, since the construct 
in the else branch cannot be reached after a symbolic trace that is non-i equivalent to 
(in\a?i:t). 

We now present the first of our two main results of this paper. The following theorem 
establishes a threshold Thresh^ such that if Spec(t) and Impl(t) fulfil certain requirements, 
then, for all B > Thresh^, if <j) is a i?-collapsing function, then for all n > 5 

if 5pec({0 . . 5}) Pr (/)(lmpl({0 . . n}), then Spec({0 . . n}) C T impi({0 . . n}). 

In Section [6.21 we will present an analogous result for the stable failures model. 

Theorem 6.5 (Extendibility of traces refinement of systems with replicated components). 
Suppose that 

(i) Spec(t) satisfies SeqNorm and RevPosConjEqT T ; 

(ii) Impl(t) satisfies TypeSym; 

(iii) Thresh? is the maximum number of output positions reachable on non-t equivalent 
symbolic traces of Spec(t), i.e. 

Thresh? = max{#!* (cr, e)(Spec{t)) \ a '(e) G SymbolicTraces(Spec(t))}; 

(iv) B > Thresh?; 

(v) T is an instantiation of type t of size at least B + 1; anc? 

(vi) <f) is a B-collapsing function. 

Then if Spec((p(T)) C T <f>(Impl(T)), then Spec(T) Ct Impl(T). 

Proof. Suppose that Spec(4>(T)) Qt 4>{Impl{T)) and assume for a contradiction that 
Spec(T) [2t Impl(T). Consider a shortest trace that demonstrates this non-refinement; 
this trace is necessarily non-empty, so of the form tr"(e) such that 

tr"(e) G traces{Impl{T)), 

tr G traces(Spec(T)), 

tr"(e) traces(Spec(T)). 

Suppose that e = c.v% . . . v^. Suppose tr is generated by symbolic trace o\ of Spec(t). We 
can construct a symbolic event ei = c§x\:X\ . . . ^x^'-X^ to generate e (although oi(ei) might 
not be a symbolic trace of Spec(t)): if Vi is of type t we set §Xj:Xj to $X{:t; otherwise we 
set §Xi'.Xi to \vi\null. 

By assumptions (iii) and (iv), #!*(<ti, ei)(5pec(f)) < i?, so let ir : T — > T be a bijection 
that maps {vi | i G !*((7i,ei)(£pec(£))} into {0 . . 5 - 1}. By Corollary EH35pec(i) satisfies 



36 



T. MAZUR AND G. LOWE 



TypeSym, and by assumption Impl(t) satisfies TypeSym, so by Remark 13.131 we have 
that 

7r(£r)~(7r(e)) G traces(Impl(T)), 

ir(tr) G traces(Spec(T)), (6.2) 
7r(£r)"(7r(e)} traces(Spec(T)). 

Hence, 

<£(7rO)) A (0(7r(e))) G traces(<j)(Impl{T))). 
But Spec{(j){T)) C T (j)(Impl(T)), so 

<t>(-K{tr)y(<i)(Tt(e))) G traces(Spec(<t)(T))). 

However, by Corollary 15.81 Spec(T) C T Spec(4>(T)) , so 

(f)(Tv(tr)y((j)(w(e))) G traces(Spec(T)). (6.3) 

We can now apply Proposition 16. II to Spec(T), with 7r(ir) in place of £r, and </>(7r(e)) in 
place of e: condition (i) is satisfied, by (|6.2p ; condition (ii) is satisfied, by (|6.3p ; condition (hi) 
is satisfied by taking a suitable choice of a to generate 4>(ir(tr)), and taking e to be the sym- 
bolic event that generates ^(7r(e)); condition (iv) is satisfied since !'(e) C \ (a±, ei)(Spec(t)) 
(since 0""(e) = non - t a\{e\)), and by construction, all the corresponding fields of (p(n(e)) are 
in {0 . . B — 1}. Considering the valuation v' such that 7r(e) = c.v[ . . . v' k then allows us to 
deduce that 

7r(ir)"(7r(e)) G traces (Spec ( T)). 
This is a contradiction, which completes our proof. □ 

Remark 6.6. For every verification problem, the value of Thresh^ in Theorem 16.51 depends 
only on the specification. 

Example 6.7. Recall the process syntax P[t) from Example 16.41 We argued there that 
^((inlx-.tly.tlz-.t, = y t -, x = z), out$v:t$w:t)(P(t)) = {1, 2}. Clearly \\a, e)(P(t)) has 
fewer elements for other values of a and e. Hence Thresh^ = 2 in this case. 

If Spec(i) contains no conditional choices, then we can obtain a simpler expression for 
the threshold. 

Proposition 6.8. // Spec(t) contains no conditional choices then 

Thresh T < max{#!'(a) | a is a construct of Spec(t)}. 

The proof is in Appendix [Bl and shows that in this case there is a unique construct 
that contributes towards the calculation of each \ t (a,e)(Spec(t)). 

If Spec(t) uses a conditional, then there may be two such constructs, but by Lemma [5^61 
^(otthen) 5 !'(a e ise)) where a t hen an d ct e \ se are the constructs in the "then" and "else" 
branches, respectively; hence the above equality still holds. It's only when Spec(t) contains 
nested conditionals, as in Example 16. 4| that one needs to consider multiple constructs 
together. 

Remark 6.9. For all specifications with a finite SSLTS, the value of Thresh^ in Theo- 
rem 16.131 can be calculated in a finite amount of time. All states that can be reached by 
non-i equivalent traces need to be considered together; this can be performed by a process 
similar to normalisation [Ros97, Appendix C]. 
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Example 6.10. Recall the example from Section 12.31 Earlier, we explained how to use 
counter abstraction techniques from |MazlOl IML11] to show 

Spec((p(T)) C T <p(Impl(T)), for all instantiations T of t with j^T > 3, 

where 

Spec(t) = enterCS%i:t — > leaveCSH — > Spec(t), 

and where we took B = 1. We can now apply Theorem 16.51 It's clear that condition (i) 
holds. Condition (ii) holds from the discussion in Example 13.111 From condition (iii) we 
obtain Thresh^ = 1, essentially because Spec(t) contains a single "!"; hence condition (iv) 
holds. Condition (v) gives a lower bound of 2 on the size of T, which is a weaker condition 
than we have already imposed. Finally condition (vi) holds by construction. Hence we can 
apply the theorem to deduce 

Spec(T) Ct Impl(T), for all instantiations T of t with #T > 3. 

Smaller values of T can be verified directly. 

In [MLllj . we describe tool support, called TomCAT, for our counter abstraction tech- 
niques. In particular, the tool checks the conditions of Theorem 16.51 and calculates the 
threshold Thresh^. This part of the tool could easily be adapted to other abstraction 
techniques that build on the type reduction theory of this paper. 

6.2. Threshold results for the stable failures model. In this section we present type 
reduction theory results analogous to those in Section IBTTl but extended to the stable failures 
model. 

We begin with a proposition that shows that, provided Proc(t) satisfies SeqNorm and 
RevPosConjEqT F and given a collapsing function (j), if tr is a trace of (Proc(t),Ti n it, T) 
(for some sufficiently large T), (cp(tr),X) is a failure of (Proc(t) , 4>(T j n #) , T) and events in 
initial s(Proc(t),Ti n it, T)/tr do not have outputs of type t from outside {0 . . B — 1}, then 
(tr,X) is a failure of (Proc(t),Ti n i t , T). In this proposition we assume that the underlying 
type of all configurations is the fixed type T. 

Proposition 6.11. Let B be some natural number. Suppose that 

• Proc(t) satisfies SeqNorm and RevPosConjEqT F ; 

• (ft is a B-collapsing function; and 

• T is an instantiation of type t of size at least B + 1 . 
Suppose further that 

(i) tr etraces(Proc(t),Ti nit ); 

(ii) {(j){tr),X) G failures(Proc(t),(f)(Ti n it)); and 

(iii) if P is a configuration such that (Proc(t) ,T 'i n u) P, then every output value of 
type t of every event in initials (P) is in {0 . . B — 1}. 

Then (tr,X) G failures(Proc(t),Ti n it). 

Proof sketch. By a structural induction on Proc(t). The details are in Appendix IB. 21 
The following example illustrates some aspects of Proposition 16.111 
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Example 6.12. Recall the following process from Example 16.21 

Proc(t) = c\x$y:t?z:t ->• if y = z then d\x -> STOP else dBw.t -> STOP. 

Note in particular that Proc(t) satisfies RevPosConjEqTp. Let T = {0, 1, 2}, B = 1 and 
let (j> be the appropriate 1-collapsing function. We consider four instances. 

(1) Let Ti n it(x) = 0, tr = () and X = {|c|} — {|c.0.1|}. Condition (i) of the proposition clearly 
holds. Condition (ii) holds, considering the case that the nondeterministic selection 
picks y = 1. Condition (iii) holds since the only output value in an event after tr is the 
value for x. The proposition then implies (tr,X) £ failures(Proc(t),Ti n it), which is 
clearly true, considering the case that the nondeterministic selection again picks y = 1. 

(2) Now suppose Vi n n(x) =2, tr = () and X = {|c.2|}. Condition (i) clearly holds; 
condition (ii) holds since the environment (f>(Ti n it) maps a; to 1. However, condi- 
tion (iii) does not hold, since the initial configuration can output 2 for x. And indeed 
(tr, X) £ failures(Proc(t),Ti n it), since for some y G T the event c.2.y.O will be avail- 
able. Condition (iii) ensures that the output values in initial events after tr are not 
collapsed. 

(3) Now consider T init (x) =0, tr = (c.0.0.2), so <p(tr) = (c.0.0.1), and X = {|c|} U {d.v \ 
v ^ 2}. Conditions (i) and (iii) clearly hold. Condition (ii) holds, since after <f>(tr) the 
process takes the "else" branch and can select w = 2. The proposition then implies 
(tr,X) £ failures(Proc(t),Ti n it), which is clearly true, since after tr the process again 
takes the "else" branch and can select w = 2. 

(4) Now suppose tr = (c.0.1.2), so (p(tr) = (c.0.1.1), and X = {|c|} U {d.v \ v ^ 0}. It is 
easy to check the three conditions; note that for condition (ii), the failure corresponds 
to the "then" branch. The proposition then implies (tr, X) € failures(Proc(t),Ti n it), 
which is clearly true, since after tr the process takes the "else" branch and can select 
w = 0. This case shows the importance of RevPosConjEqTp : the "else" branch must 
have (at least) all the failures of the "then" branch. 

The following theorem is our second key result of this paper. It extends Theorem [63] to 
the stable failures model by establishing a threshold Thresh such that if Spec(t) and Impl(t) 
fulfil certain requirements, then, for all B > Thresh, if Spec({0 . . B}) Cp (j>(lmpl({0 . . n}) 
then Spec({0 . . n}) Q F lmpl({0 . . n}) for all n > B. 

Recall that, given a symbolic conditional event cond and an environment V, [condjp 
denotes the truth value of the proposition obtained from cond by substituting all free 
variables of type t with their corresponding values contained within T. We lift the definition 
of [[ • ]]r to symbolic traces without visible symbolic events in the following way. Given a 
symbolic trace a in (Cond U {r})* we let [<r]r be equal to /\{[[conc?]]p | cond in a, cond G 
Cond}. 

Theorem 6.13 (Extendibility of stable failures refinement of systems with replicated com- 
ponents). Suppose that 

(i) Spec(t) satisfies SeqNorm and RevPosConjEqTp, and is divergence-free and has a 
finite alphabet for every finite instantiation of type t; 

(ii) Impl(t) satisfies TypeSym; 

(iii) no construct a in Spec(t) combines nondeterministic inputs of type t and deterministic 
input of any type, i.e. i/#$*(a) > 0, then #?(e) = 0; 

(iv) T is an instantiation of type t such that #T > B + 1, where B is as below; 
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(v) Thresh = max{ Thresh^ , 

max{ Threshu (a, T) + Thresh-?t(a,T) \ 

a G SymbolicTraces(Spec(t)) 

A (a = () V ^ast(o-) G Visible) A T G £ra;(T)}}, 

w/iere 

• Threshu (a, T) counts the number of unique output variables of type t in all the visible 
symbolic events e available in Spec(t) immediately after a such that all conditionals 
between the last symbolic event of a and e evaluate to True, i.e. 

Threshu (a, T) = 

#{x t | Spec(t) ^ s ^ s ^ s A p G (Cond U {r})* A [[p]} r = True 
A e = c§iXi:Xi . . . %kW-Xk G Visible A i G !*(e)}; 

• Thresh?t(a,T) counts the number of (not necessarily unique) input variables of type 
t in all the visible symbolic events e available in Spec(t) immediately after a such 
that all conditionals between the last symbolic event of a and e evaluate to True, i.e. 

Threshn(a,T) = £{#? 4 (e) | Spec{t) ^ s ^ s ^ s A p G (Cond U {r})* 

A e G Visible A [[p]] r = True}; 

• Thresh^ is as in Theorem 1 6. 51 " 

(vi) B > Thresh; and 

(vii) (f) is a B -collapsing function. 

Then, if Spec(<f>(T)) Cp 0(^p/(T)), then Spec(T) Cf Impl(T). 

Proof. Suppose that the refinement Spec((p(T)) Cp (j)(Impl(T)) holds and assume for a 
contradiction that Spec(T) [2f Impl(T). Refinement in the stable failures model im- 
plies refinement in the traces model, so Spec(4>(T)) C T (p(Impl(T)) . Then, by Theo- 
rem 16.51 (which is applicable since its assumptions are weaker than those of this theorem) , 
Spec(T) Ct Impl(T). 

Consider a minimal counterexample (tr, X) to the refinement Spec(T) C F Impl(T), i.e. 

(tr,X) G failures(Impl(T)), (6.4) 

(tr,X) failures(Spec(T)), (6.5) 

Ve G X • (tr,X \ {e}) G failures{Spec{T)). (6.6) 

Observe that there is such a minimal counterexample since we have assumed that specifi- 
cations are divergence- freedom and have finite alphabets. 

Combining (|6.5p and (|6.6p we obtain that for all events e in X there exists a state 
P e ( T) such that 

Spec(T) ^ P e (T) A P e (T) ref (X) \ {e} A P e (T) . (6.7) 

This also means that every event in X is accepted in some stable state of Spec(T) after tr. 
Hence, 

X C initial s{Spec{T)/tr). (6.8) 

We now aim to show that X is dependent upon at most Thresh values from T, in a 
sense that we make precise below. We begin with two properties of X. 
(1) Firstly, we prove that X is closed under type t nondeterministic inputs of the spec- 
ification, i.e. we suppose that e = c.v\...Vk G X matches a construct a of Spec(t) 
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Pe(T) e — chn.a.O 




Figure 6: The LTS of Proc({0, 1,2}), where Proc(t) = chn$x:{a, b}$y:t -> STOP. 

(uniqueness follows from Proposition 15. 5|) with (a) > (which, by assumption (hi), 
implies that #?(a) = 0) and show that 

Vv' : {1 . . k} -> Value \ (6.9) 
(Vt G $*(a) • «<' € I 7 ) A (V» € {1 .. *} \ $*(a) • v[ = v t ) • 
c.v[...v' k G X. 

Let v' be as in (|6.9p and let e' = c.u{ . . . vi. Assume for a contradiction that e' is 
not an event in X. Consider the same behaviour that leads to the stable state P e {T) 
of (|6.7p where X \{e} is refused and e is accepted, except that the nondeterministic 
selections of a are resolved in a way such that the values v[ are chosen instead of V{ for 
all % G $ (a); call this stable state P e >(T) (see Figure [6] for an example). The initials of 
P e '(T) are the samd^ as those of P e (T), except they contain e' instead of e. Therefore, 
since X \ {e} is refused in P e (T), X \ {e'} must be refused in P e /(T). However, e' X 
by assumption, so X is refused in P e >(T), which contradicts (|6.5p . 
(2) Secondly, we show that X contains no pairs of events that differ only in values of 
deterministic inputs of any type, i.e. we suppose that e = c.v\ . . . Vk G X is an event 
matching a construct a of Spec(t) (uniqueness guaranteed by Proposition I5.5P with 
#?(a) > (which, by assumption (hi), implies that #$*(a) = 0) and show that 

vV : {1 .. k} -> Value | (6.10) 
(V i G {1 . . k} \ 1(a) • v{ = Vi) A (3 i G ?(q) • v[ ^ «j) • 

Let be as in (16. lOf) and assume for a contradiction that e' = c.v[ . . . vi is an event in 
X . Consider the state P e (T) of (16. 7p where X\{e} is refused and e is available. Clearly 
e' is refused in this state, since we assumed it to be in X and hence in X \ {e} (since 
e ^ e'). This is a contradiction since e and e 1 differ only in the values of deterministic 
inputs and hence e is available if and only if e' is. 

Recall that tr is a trace of Spec(T) = (Spec(t), {}, T); let (Spec'(t),T, T) be the unique 
resulting configuration (with uniqueness following from Proposition I5.3|) : i.e. 

(Spec(t),{},T) ^ (Spec'(t),r,T), (6.11) 



This would not be true if specifications could contain constructs that combine nondeterministic selections 
over type t and deterministic inputs over any type; see Example 16.171 and Example 16. 181 below. 
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for some sequence of concrete events s such that s does not end with a r and s \ {r} = tr. 
Observe that 

(Spec(t),{},T) (Spec'(t),T,T). 

So, thanks to the uniqueness of Spec'(t) and T, and since s does not end with a r, 

initial s(Spec(T) / tr) = initial s (Spec (t),T, T). 

Let 5 = Si U 5*2, where 

Si = {vi | e = c.«i . . . Vk G initial s (Spec(T) / tr) (6-12) 
A e matches construct a of Spec(t) A i G ^(a)}, 

5-2 = | c.wi . . .Vk e X A i e {1 . . k} A Vi e T (6.13) 
A 3 v' G T • c.?/i . . . Vi^\.v' .v,i + i . . . ^ X}. 

We now show that B is an upper bound on #S. 

Firstly, we deduce from the closure of X under type t nondeterministic inputs of the 
specification (clause 1, above) that 5*2 contains no values of type t that come from non- 
deterministic selections of constructs of Spec(t). Hence and by (|6.8p . S2 is a subset of 
the set of values of type t in the events in initial s(Spec(T) / 'tr) = initial s(Sped '(t),F ', T) 
that come from deterministic inputs and outputs only. Observe that if a concrete event 
of the specification is obtained from a symbolic event using the translation rules of COSE, 
then all the preceding conditional symbolic events have to evaluate to True in appropri- 
ate environments. Also, all conditional symbolic events occurring between any two visi- 
ble symbolic events are always evaluated within the same environment. Therefore, when 
working out initial s (Spec' (t),T , T), we can ignore those initial visible symbolic events of 
Spec'(t) that are preceded by a conditional symbolic event that evaluates to False in T. 
Finally, from (|6.1ip and the translation rules of COSE (see Section 14.4. ip we have that 
there exists a G SymbolicTraces(Spec(t)) such that either a = (} or last(a) G Visible and 
Spec(t) 1 — y s Spec' (t) (so a generates^ s). Hence, the number of type t values matched by 
deterministic inputs in the events in S2 is at most 

Thresh v (a,F) = I Spec(t) ^ s ^ s ^ s A p G (Cond U {r})* 

A e G Visible A [[p]] r = True}. 

Now, since we assumed no constants of type t in the definition of Spec(t), any type t 
output value in S must come from some environment. Therefore, the total number of 
output values of type t in S can never be greater than the total number of different output 
variable names used in the constructs of Spec(t) that are matched by the members of 
initial s(Spec(T) / tr), i.e. the total number of output values of type t in S is at most 

Thresht(a, T) = #{xi | Spec(t) A S A S A S A p G (Cond U {r})* A [[p]] r = True 

A e = c§\X\:Xi . . . ^Xk'-X^ G Visible A i G !*(e)}- 

Summarising the last two paragraphs: all elements of S either match deterministic 
inputs in the events in 62 (at most Threshn (a, T) such values) , or match outputs in either S± 
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or $2 (at most Thresh\t(a,F) such values). Therefore, 
#S 

< Threshn (a, T) + Threshit (a, T) 

< max{Threshu (a' ,T') + Thresh-?t(a' ,T') \ a' G SymbolicTraces(Proc(t)) 

A (a' = () V last (a') G Visible) 
AT' £ Env(T)} 

< Thresh 

< B. 

Let 7r : T — >■ T be a bijection that maps 5 1 into {0 . . B — 1}. Then, using Remark 13. 131 
we can infer from (I6.4p and (|6.5p that 

(ir(tr),TT(X)) G failures(Impl(T)), (6.14) 

(Tr(fc-), tt(X)) failures(Spec(T)). (6.15) 

Now, by the denotational semantics of renaming [Ros97], 

failures{(/)(Impl(T))) = {{(f>(tr'), Y) \ (tr' , cp- 1 (Y)) G failures{Impl(T))}. (6.16) 

Let c.wi . . . Vk be an event in X . Let i be in {1 . . such that is of type i. Our 
construction of S implies that either (1) Vi is in S, in which case ir(vi) is in {0 . . B — 1}, 
or (2) Vi matches a nondeterministic input of type t, in which case the closure of X under 
nondeterministic inputs of the specification (clause 1 on p. l39l) implies that for all values 
v' in T, c.vi . . . Vi-\.v' .Vi+\ . . . Vk is in X. Therefore, if c.W\ . . . Wk is an event in tt(X), 
then for every i in {1 . . k} such that Wi is of type t, we have that either (1) W{ is in 
{0 . . B — 1}, or (2) c.wi . . . Wi-i.w' .Wi + \ . . . Wk is in tt(X) for all values w' in T. This, 
thanks to the definition of 6, means that V e G ((>(it(X)) • </> -1 (e) C vr(X). This implies 
that (j)'~ 1 ((f)(ir(X))) C vr(X), which trivially implies that 

r l {^<x))) = *{x). 

Combining with fj6. 14f> and (I6.16p . we get that 

{(j)(^(tr)), 0(tt(X))) G failures((j>{Impl{T))). 

However, Spec(4>(T)) Cp (j)(Impl(T)), so 

(<^(7r(tr)),0(7r(X))) G failures(Spec{^{T))). (6.17) 
We now show that 

{(/)(TT(tr)),TT(X)) G failures{Spec{T)). (6.18) 
Firstly, (I6.17D implies that there exists a configuration (P(t), V, <p{ T)) such that 

SpecMT)) = (Spec(t),{},<KT)) (P(t),T,<t>(T)) ref 0(vr(X)). (6.19) 

Let e = c.v\ ... ^ be in <f>(initials(P(t),T, T)) and let a be the unique construct of Spec(t) 
that e matches (with uniqueness following from Proposition 15 . 5(> . Then there exists a 
function u' : {1 . . k} — > Value such that 

e' = c.v[...v' k G initials(P(t),T,T) (6.20) 

and </>(e') = e, i.e. 

Vi e{l.. k}»(f)(vi) = Vi. (6.21) 
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We know that (P(t),T,(fi(T)) must be a stable state, as otherwise it would not be able to 
refuse 4>(tt(X)). This means that all values of nondeterministic selections of constructs that 
generate the events in initials(P(t),T, <p( T)) had been chosen before this state was reached 
(and are necessarily in <j)(T)). Hence, and since T G Env(4>(T)) implies T G Env(T), we 
have that initials(P(t),T, 4>{ T)) and initial s(P(t),T, T) are the same, except for values of 
deterministic inputs of type t. Formally, 

initial s(P(t),T,(f)(T)) = 

{c.wi . . . Wk | c.w[ . . . w' k G initial s(P(t),T, T) matches construct a' A 

w G {1 .. k} -> Value A (Vi G {1 . . k} \ ?*(<*') • w t = wfi A 
Vi G ?V) • «»• G (j){T)}. 

(6.22) 

Also, since T G Env(4>(T)), all values of type f used in the events of initial s(P(t),T, T) 
and that match nondeterministic selections or outputs, are in 4>(T) = {0 . . B}: 

Vi G $*(a)U!*(a) • v[ G {0 . . B}, 

which, thanks to the properties of <j>, and combined with the fact that for all non-£ values 
val, <j){val) = val, gives us that 

ViG{l..i}\? ( («).^') = i 
Hence and by the definition of v' (|6.2ip . 

Vi G {1 .. fc}\7*(a) • Vi = (6.23) 
In addition, since c.v\ . . . Vj. is in <j>(initials(P(t),T, T)), it must be that 

Vi G ?*(a) • Vi e 4>{T). (6.24) 

Combining (lOf)]) . (lfT22l) . (16331) and dOl"]) we get that e is in initial s(P(t), T, <j>{ T)). Hence 

<f)(initials(P(t),r,T)) C initial s(P (t), V , 4>{ T)). (6.25) 

Conversely, let e = c.«i...i>fc be in initial s(P '(t), T ',(p(T)). From Proposition 15.71 we 
can infer that 

initials(P(t),T,(J)(T)) C initials (P(t),T, T), 

so e is in initial s(P(t),T, T). Hence, 0(e) is in (p{initials{P{t),T , T)). However, for all i 
in {1 . . fe}, is either a value of a non-i type or it is a value in <j>(T). Hence, 

Vi G {1 .. k} • </>(u s ) = Uj, 

so 0(e) = e and therefore e G (p(initials(P(t),T), T). Hence, 

initials(P(t),F,(/)(T)) C ^(initial s(P '(t), T , T)). 

Combining the above with (|6.25p we have that 

</>(initials(P(t),T,T)) = initial s(P(f), T, 0(T)). (6.26) 

We now aim to show that 

(P(f),r,T) ref tt(X). (6.27) 

Suppose for a contradiction that there exists an event x in 7r(X) n initials(P(t) ,F , T). 
Then (|6.26p implies that (j)(x) G 0(7r(X)) n initial s(P(t),T, <f>(T)). This in turn means that 
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4>(n(X)) n initial s (P '(f), F, 4>(T)) is non-empty, contradicting (|6.19j) . Hence, (|6.27j) holds. 
Finally, applying Corollary 15.81 to (|6. 19[) , we have that 

(Spec(t),{},T) itM> (P(f),T,T). 

This, combined with (|6.27p implies that (|6,18p holds. 

We now seek to apply Proposition 16.111 to 7r(fr) and tt(X). From equation (|6.14p . 
7r(fr) € traces(Impl(T)) . However, we have already shown that Spec(T) C T Impl(T), so 

7r(fr) € traces(Spec(T)) = traces(Spec(t),{}, T). 

This gives us condition (i) of Proposition [6.111 Equation (|6.18j) (and the fact that 4>({}) = 
{}) gives us condition (ii). In addition, our definition of Si (j6. 12|) . combined with the defini- 
tion of 7r, implies that every output value of type t of every event in initial s(Spec(T) / 'n (fr)) 
is in {0 . . B — 1}, which gives us condition (iii). Hence, we can infer that 

(7r(fr), vr(X)) € failures(Spec(t), {}, T) = failures(Spec(T)). 

This is a contradiction to (j6. 15[) . which completes our proof. □ 

Some observations related to Theorem 16.131 are now in order. 

Remark 6.14. For every verification problem, the value of Thresh in Theorem [6713] depends 
only on the specification. 

Remark 6.15. For all specifications with a finite SSLTS, the value of Thresh in Theo- 
rem !6.13l can be calculated in a finite amount of time. The term Thresh^ can be calculated as 
in Remark l6.91 The other term can be obtained by calculating Thresht (<j, T)+Thresh?t (a, T) 
for each symbolic state that is either the initial state or that has an incoming visible tran- 
sition. 

Example 6.16. Recall the example from Section [2.31 In Example 16. 1UI we showed how to 
apply Theorem 16.51 to deduce results in the traces model. We now, similarly, show how to 
apply Theorem 16.131 to deduce results in the stable failures model. We can use the counter 
abstraction techniques to verify 

Spec((f)(T)) (p(Impl(T)), for all instantiations T of t with # T > 3, 

where again 

Spec(t) = enterCS$i:t — > leaveCSli — > Spec(t), 

and where we took B = 1. It is clear that conditions (i), (ii) and (iii) of Theorem 16. 131 hold. 
From condition (v) we obtain Thresh = 1, essentially because Spec(t) contains a single "!" 
and no "?" ; hence condition (vi) holds. Condition (iv) gives a lower bound of 2 on the size 
of T, which is a weaker condition than we have already imposed. Finally condition (vii) 
holds by construction. Hence we can apply the theorem to deduce 

Spec(T) Q-p Impl(T), for all instantiations T of f with j^T > 3. 

Smaller values of T can be verified directly. 

As with the theorem for the traces model, the tool TomCAT can be used to verify the 
conditions of Theorem 16.131 and to calculate the threshold. 

At first, condition (iii) of Theorem [6713] — that no construct of the specification combines 
nondeterministic inputs of type f and deterministic inputs of any type — may seem some- 
what arbitrary. However, without it, there are specifications Spec(t) and implementations 
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Impl(t) such that no threshold exists: for all values of B, there exists an instantiation T of 
type t such that Spec(<p(T)) C F (p(Impl(T)) and yet Spec(T) t^F Impl(T). The following 
examples illustrate such pairs of processes, where a nondeterministic input of type t is com- 
bined with a deterministic input of type t (Example 16. lTj) and with a deterministic input 
of a non-t type (Example 16, 18|) . 

Example 6.17. Let 

Spec(t) = c%x:tly:t STOP, 

Impl(t) = □ y.t • clx:(t \ {y})ly -> STOP. 

Note, in particular, that Impl(t) satisfies TypeSym. 

Let B be an arbitrary positive number, and let <p be as in the statement of Theo- 
rem [6J2J Let T = {0 . . N} where N > B + 1. It is easy to see that traces(4>(Impl(T))) C 
traces (Spec(cp( T))). Further, whatever value Impl{ T) chooses for y, (T\ {y}) fl {B . . N} ^ 
{}; hence ({),{c.B.B}) g 1 failures((j)(Impl(T))). This helps to see that 

failures((f)(Impl( T))) 
= {((},X) | X C {c.x.x [ x € {0 . . 5 - 1}}} 

U{((c.x.2/),X) | y £{0.-5} Ax € {0..5}\{y} AKE} 
C {((}, X) | X C {c.x.y | x G {0 . . B} \ {p} A y G {0 . . B}} A p G {0 . . B}} 

U{((c.x.y),X) | x,y G {0 . . B} A X C £} 
= failures(Spec(4>(T))). 

Hence Spec(4>(T)) C F 4>(Impl(T)). 
However, 

((},{c.x.x | x G T}) G failures(Impl(T)) \ failures(Spec(T)), 
so Spec(T) [2f Impl(T). 

Example 6.18. Let i? be an arbitrary positive integer, and Y = {2/1,2/2} a tyP e other 
than t of size 2. Let 

Spec(i) = c$x:i?2/:F -> STOP, 

Impl B {t) = Dy.Y • (r\X Ct A#X = B + !• c7x:X\y ^ STOP) . 

Note, in particular, that Impl(t) satisfies TypeSym. 

Let be as in the statement of Theorem 16. 13| and let T = {0 . . N} where N > 2B + 1. 
It is easy to see that traces(<f>(IrnplB(T))) C traces(Spec(4>(T))). Further, whatever value 
Impl B (T) chooses for X, X D {B . . N} ^ {}; hence ({),{c.B.y}) failures(<j)(Impl B (T))) 
for every 2/ G Y. This helps to see that 

failures(<p(ImplB (T))) 
C {((}, R)\RQ {c.x.y \ x G {0 . . 5 - 1} A 2/ G F}} 

U{((c.x.2/),#) | x G {0 . . £} A 2/ G F A C S} 
C {((}, R)\RC {c.x.y I x G {0 . . B} \ {p} A y G F} A p G {0 . . B}} 

U{({c.x.y),R) \x e{0..B} Ay G 7 A _R C S} 
= failures(Spec(4>(T))). 

Hence Spec(4>(T)) C F (^{Impls (T)) . 

However, suppose the two values chosen for X when y = yi and y = 2/2 are disjoint 
(this is possible since #T > 25 + 2). Then ImplsiT) has an initial failure (Q,R) such 
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that for each x £ T, there is some z such that ex. z £ ii; this is not a failure allowed by 
Spec(T), so Spec(T) [2f Impls^T). 

7. Conclusions 

Given a specification Spec(t) and an implementation Impl(t), direct model checking can help 
us to find bugs in the implementation for a finite (and small) number of instantiations T 
of parameter t. However, one is often interested in uniform verification, i.e. in proving 
correctness for all T. 

Lazic's theory of data independence [Laz99] (see Section l3~TT) for the CSP process algebra 
solves the problem of uniform verification of parameterised systems with the parameter 
being a datatype. Inspired by these results, we have developed a type reduction theory 
(with the key results captured by Theorem 16.51 and Theorem I6.13P , which establishes the 
size of a fixed type T and a collapsing function (j) that maps all types T larger than T to T, 
and such that for all T such that T C T, 

Spec(T) C <p(Impl(T)) implies that Spec(T) C Impl(T) (7.1) 

with both refinements in either the traces or the stable failures model. In order for the 
above to hold, the processes have to satisfy certain conditions, the most important of which 
include a normality condition, SeqNorm (see Definition 13. 5p . for specifications and a type 
symmetry condition, TypeSym (see Definition 13. 6p . for implementations. 

Our type reduction theory makes extensive use of symbolic representation of process 
behaviour, which allows us to use known behaviours of one instantiation of a specification 
to deduce behaviours of another one. In Section H] we presented a symbolic operational 
semantics for CSP processes that satisfy Seq, and we provided a set of translation rules 
that allow us to concretise symbolic transition graphs. We also showed that, crucially, the 
combination of the symbolic operational semantics and the translation rules is congruent 
to a fairly standard operational semantics. 

Since the process <j)(Impl(T)) used in (I7.ip still depends on T, the type reduction 
theory, on its own, does not resolve the problem of an infinite number of refinement checks 
needed to solve a given verification problem. However, the usefulness of the theory comes 
from the fact that it can be combined with an abstraction method that produces models 
Abstr such that for all sufficiently large T, 

Abstr C (f>(Impl(T)). (7.2) 

We can then test, using a model checker, that Spec(T) C Abstr. This allows us to deduce, 
from transitivity of refinement and (17. ID . that Spec(T) C Impl(T) holds for all sufficiently 
large T (and the verification problem can be solved directly for all smaller T). One suitable 
abstraction technique (based on ideas of counter abstraction) can be found in |MazlO[ 
IMLllj . 

7.1. Automation. We can automatically check process syntaxes for the syntactic require- 
ments of data independence (Definition 13. ip and SeqNorm (Definition 13. 5p . Checking for 
the semantic requirements of the TypeSym condition (Definition 13 .6p is difficult in practice 
due to the universal quantification over all instantiations of the type parameter t. However, 
we can automatically verify implementation definitions as to whether they satisfy the five 
simple syntactic conditions of Proposition 13.91 and infer TypeSym. 
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Checking RevPosConjEqT (Definition I3.15D is the most problematic when it comes 
to automation. The problem lies in the universal quantification over all instantiations of 
the parameter variables of the arguments of conditional choices. Currently, it is left to 
the user to provide a proof that for every conditional choice of the form "if cond then 
P(xi, . . . , Xk) else Q(xi, . . . , in a given specification, where cond € Cond, cond is a 
positive conjunction of equality tests on t and Q(v±, . . . C P{v±, . . . for all values 
vi, . . . , V}.. In general, the problem of RevPosConjEqT satisfiability is undecidable, since 

a general (undecidable) PMCP problem of the form Spec(x) C Impl(x), where x is a param- 
eter, can be reduced to checking whether inlv.xly.x — > ifi = j then Impl(x) else Spec(x) 
satisfies RevPosConjEqT. However, in most practical situations it is not too difficult to 
provide a convincing proof that, regardless of parameters, the "then" branch of every condi- 
tional choice on t forms a refinement of its "else" branch, as often the branches are similar, 
except for the use of operators that introduce different levels of nondeterminism (e.g. using 
n in the positive branch versus □ in the negative one). 

As noted in Remarks 16.91 and 16.151 the calculation of the thresholds in Theorems 16.51 
and 16.131 can be fully automated. 

7.2. Multiple distinguished types. Throughout this paper we assumed the presence of 
a single distinguished type t. It is easy to extend our techniques to any finite number of 
distinguished types, say ty, 1%, . . . , t n , provided all of them are pairwise independent. All 
requirements are extended in the natural way, e.g. each specification Spec(ti, fo, ■ ■ ■ , t n ) must 
now be data independent in each of the n types, and each implementation Impl(t\, ■ ■ ■ t n ) 
must satisfy TypeSym with respect to each of t\, t2,---,t n . The threshold in each of 
Theorems l6.5l and l6.13l is then replaced by a tuple of values (Threshi, Thresli2, ■ ■ ■ , Thresh n ), 
where each Threshi is a threshold for the collapsing of the values of type 

7.3. Related work. We are not aware of any other, similar type reduction theory for 
parameterised systems with the parameter describing the number of node processes forming 
a network. Ideas closest to ours are those of data independence. In |Laz99j Lazic provides 
results similar to ours, except that allows us to deduce that 

Spec(T) C Impl(T) implies that Spec(T) C Impl(T) 

instead of (|7.ip . This makes data independence theory applicable without the need for 
abstraction techniques, but, since both Spec and Impl are assumed to be data independent, 
it does not allow the use of replicated operators indexed over the distinguished type, which 
is a key part of all the implementations we consider. 

7.4. Future work. The operational semantics that we presented in Section I4.3I served 
an important purpose in proving the results of our type reduction theory. However, our 
type reduction theory assumes that processes satisfy the Seqcondition. Therefore, for 
brevity, we provided operational semantics rules only for those operators that Seqallows. 
To increase the generality, it would be desirable to formalise symbolic transition rules for 
parallel compositions, renaming, hiding and replicated choices. 

We would like to extend our type reduction theory to the failures/divergences model 
of CSP (see e.g. [Ros97] ). However, usually the only divergences property one is interested 
in is full divergence-freedom. In practice, this might be an easier problem to verify for 
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all instantiations of the distinguished type than verifying failures/divergences refinement. 
Once a system is shown to be divergence- free, a refinement check in the stable failures model 
implies refinement in the failures/divergences model. 

Finally, we presented our type reduction techniques for processes modelled using the 
CSP process algebra. It would be desirable to research how well these ideas map across to 
other formalisms. 
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Lazic and the anonymous referees for very useful comments. This work was partially funded 
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Appendix A. Proofs for Section 

In this appendix, we prove the results from Section [SJ We start with a few lemmas that are 
used in the proofs of those results. 

In some proofs by structural induction in this and subsequent appendices, some of the 
cases are straightforward and are omitted; they can be found in [MazlOj. 

The following lemma shows that (for a process that satisfies SeqNorm), each visible 
or conditional symbolic event leads to a unique symbolic state. 

Lemma A.l. Suppose that Proc(t) satisfies SeqNorm. Let e be a visible or conditional 
symbolic event and suppose that 

Proc(t) H^> a Proc[(t) and Proc(t) i— Proc' 2 (t), 

where <7i = T a "(e) for a>0, and o<i = T b "(e) for b > 0. Then Proc[(t) = Proc' 2 (t). 

Proof. We prove the result by a structural induction on Proc(t). We give just the cases for 
prefix and external choice. 

Prefix. Suppose Proc(t) = a — > Proc'(t) for some construct a = c§,\X\:Xi . . . ^x^-Xk- 
Clearly e must be a visible symbolic event matching a, say c§ / 1 x(:X 1 / . . . §' k x' k :X' k . We consider 
two different cases, corresponding to the number of nondeterministic selections over non-i 
types of a. 
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Case 1. Suppose that #$ non -%a) = 0. Then, by Symbolic Prefix Rule 1 (p. 12% it must be 
that o"i = o"2 = (e) with e in Comms non ~ t (a) and 

Proc[(t) = Proc' 2 (t) = Proc '(*)[</ % \ i G ? non "*(a)]. 

Case 2. Suppose that #$ non -*(a) > 0. Then, Symbolic Prefix Rule 2 (p. [23D implies that 
the only symbolic transitions in Proc(t) are 

Proc(t) ^ s (Replace^; 1 (a) ->■ Proc 1 {t)) [v l jx l \ i G $" on -*(a)], 

for each function v with dom(w) = {1 . . k} and such that if i is in $ non ~ t (a), then V{ is in JQ. 
We are guaranteed that #% non - t {Replace^ 1 {a)) = 0, so, Symbolic Prefix Rule 1 (p. [23} 
implies that there are two functions v as above, say v 1 and v 2 , such that for j G {1,2}: 

Proc'^t) = (Proc'(t)[vi/xi | i G % non -\a)))[x , i /x l \ i G T non ' t {ot)}, 

e G C omms 11011 -' {{Replace^ 1 {a))[vl/ Xl \ i G $ non -\a)}). 

Then, thanks to the definition of Comms non ~ t , v 1 and v 2 are equal under domain restriction 
to % non - t (a). Therefore, Proc[{t) = Proc' 2 (t). 

External choice. Suppose that Proc(t) = P{t) □ Q{t) for some process syntaxes P{t) 
and Q{t). Since Proc(t) satisfies SeqNorm, we know that neither P{t) nor Q{i) contains a 
conditional choice on t before a prefix. Therefore e cannot be a conditional symbolic event, 
so must be a visible symbolic event. SeqNorm implies that the channels of the initial 
visible symbolic events of P{t) and Q(t) are disjoint, so we have that either P(t) — >g — > s 
or Q(t) -^g—^s, but not both. Without loss of generality we assume the former. Then 
the inductive hypothesis implies that there is a unique symbolic state P'(t) such that 

P(t) ^* s ^s P'(t). 

Even though there may be some r's, contributed by Q(t), in the symbolic trace of P{t) 
leading to Proc[(t), the uniqueness of P'{t) implies that Proc[(t) = Proc' 2 (t) = P'(t). □ 

The following corollary lifts the previous lemma to traces. 
Corollary A. 2. Suppose that Proc(t) satisfies SeqNorm. Suppose further that 

Proc{t) ^ s P(t) and Proc(t) Q(t). 

Then if neither a nor a' ends with a r and o~ ~non-T o~ r > then Pi^t) — (^(^). 

Proof. By induction on the number of visible and conditional symbolic events of a and a' 
(which must be equal, since a = non - T a'), and using Lemma [A. li □ 
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The following lemma relates two initial visible symbolic events on the same channel. 
Lemma A. 3. Suppose that Proc{i) satisfies SeqNorm, and a, a' G (Cond U {t})* are 

such that a = non - T o~' . Then, if Proc(t) i — > s — >- s and Proc(t) i — > s — > s , where e = 
c§iXi:Xi . . . §k x k'-Xk and e' = c%'ix[:X[ . . . §',x',:X! are visible symbolic events, then: 

(i) if the channels of e and e' are identical (i.e. c = c' ), then the parts of e and e' involving 
type t are equal, i.e. 

$*(e) U ?*(e) U !*(e) = $'(e') U ?*(e') U !'(e') A 

Vz G $*(e) U ?*(e) U l*(e) • §, = % M, = x[ A X t = X[- 

(ii) if Instsr(e) H Instsr(d) ^ {} for some environment V, then e = e' . 

Proof. Firstly, observe that if Insts-p{e) D Instsr(d) 7^ {}, then the channels of e and e' 
must be the same. Hence in both cases c = d . Since every channel has a fixed structure 
of the communication along it, the number of components of e and e' must be identical, i.e. 
k = I. We can prove both clauses using a structural induction on Proc(t). We give just the 
case for prefix, since it is the most interesting. 

Suppose that Proc(t) = a — > Proc'(t) for some construct a = d§iX\:X-y . . . ^a^iX^ and 
some process syntax Prod {t). We perform a case analysis on the number of nondeterministic 
selections over non-i types of a. 

Case 1. Suppose that #$ non "*(a) = 0. Then, by Symbolic Prefix Rule 1 (p. [23} (observe that 
the other symbolic firing rules are not applicable in this case), it must be that a = a 1 = (}, 
and that both e and e' are in Comms non ~ t (a). By the definition of Comms non ~ t (p. [23]) . 
e and e' may differ only in the values of deterministic inputs of non-i types of a. Hence, 
clause (i) of the lemma holds. To prove clause (ii), we let c.v\ . . . Vj. be a common member 
of Instsr(e) and Instsr(d). Then the definition of Instsr (p. [30]) implies that 

V i € !(e) • §i = §• = ! A n = xl A v { = Tfa) M; = X[ = null. (A.l) 

The definition of Comms non ~ t implies that ? non "'(a) C !(e), so 

V i G ? non - t (a) • §i = = ! A n = x[ AX i = X[ = null. 

This, combined with clause (i) of the lemma, (jA.lj) and the fact that % non ~ t (a) = 0, implies 
that e = e'. 

Case 2. Suppose that #$ non -*(a) > 0. Then, by Symbolic Prefix Rule 2 (p. E3) (observe 
that the other symbolic firing rules are not applicable in this case), the only transitions in 
Proc(t) are 

Proc(t) ^ s (Replace^ (a) -> Prod {t)) [v l /x l \ i G % non -\a)} 

= Replace^ 1 \a)[v i /x l \ i G % non -\a)] -> Prod {t)[ Vi / Xi \ i G % non -\a)] 
for functions v such that dom(i>) = $ non "'(a), and if i is in $ raora "*(a) then Vi is in Xj. Clearly 

#$ non -* (Replace^* (a)[vi/xi \ i G $ no "-*(a)]) = 
for every such function v, so Symbolic Prefix Rule 1 (p. [23]) implies that 

e G Comms non - t ((Replace^ t {a))[v l /x t \ie$ non -\a)}), 
e' G Comms 11011 ' 1 ((Replace^ 1 (a)) [v'Jxi | i G $ no?i -*(a)]) , 
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for some functions v and v 1 such that dom(u) = dom(u') = % non ~ t (a) and if i is in % non ~ t (a), 
then V{ and v[ are in Xj. The definition of Comms non ~ t (p. [23]) implies that the parts of 
e and e' that involve type £ are identical, which proves clause (i) of the lemma. To prove 
clause (ii), we let c.v\ . . . V/. be a common member of Instsr(e) and Instsr(e'). Then, the 
definition of Instsr (p. [30]) implies that 

V i G !(e) • §i = §• = ! A n = xl A v { = Tfa) A Xt = X[ = null. (A.2) 

However, the definition of Comms 71071 ' 1 implies that 

? nm -'(a) = l non - t ((Replace^\a))[v i /x i \i e% non -\a)]) C !(e), 
$ non -*(a) C ! non "' ((i?ep/ace^,"'(a)) [uj/xj | « G $ non "'(a)]) C !(e). 

Hence, 

V i G $™ on -*(a) U l non -\a) • §j = §< Ai i = x 8 ' M» = X/. 

This, combined with clause (i) of the lemma and (|A.2p . implies that e = e'. □ 

The following lemma shows that if a process can perform a conditional event initially 
(after only rs), then all its initial events (after rs) must be that conditional or its negation. 

Lemma A. 4. Suppose that Proc(t) satisfies SeqNorm. Then, if Proc(t) >—> s cond ) s an d 
Proc(t) i — >- s —>si where a, a' E {t}*, cond G Cond and ol^t, then a G {cond,^cond}. 

Proof. Since Proc(t) satisfies SeqNorm, we know that there are no conditionals before 
prefixes in branches of external, internal and sliding choices. Hence one of the following 
must hold: 

(i) Proc{t) is a conditional choice on t, where the boolean condition is equal to cond or 
-■cond; 

(ii) Proc(t) is a process identifier bound by the global environment £ to a conditional 
choice like that in clause (i) or (iii); or 

(iii) Proc(t) is a conditional choice whose boolean condition immediately evaluates to True 
or False, and the appropriate branch is a process syntax as in clause (i) or (ii). 

This means that the only transitions available in Proc(t) are Proc(t) -—>* cond ) s and 

Proc(t) ^t^s- □ 

The following lemma shows that if two symbolic traces each contain a single visible sym- 
bolic event, and each trace can be instantiated in the same environment, then they contain 
the same conditional events before the visible event, essentially because those conditionals 
must evaluate to True in the initial environment. 

Lemma A. 5. Suppose that Proc(t) satisfies SeqNorm. Let a \e) , a' ' ~(e') be symbolic traces 
of Proc(t) such that a, a' G (Cond U {t})* , e,e' G Visible, er~(e) generates r (e) and 
o-'~(e') generates r (e 1 ) for some environment V and some visible events e and e' . Then 

0~ = non-r 0" . 

Proof. Let k : SymbolicTraces(Proc(t)) — > N be a function that returns the number of 
conditional symbolic events within a given symbolic trace. We prove the result using an 
induction on k(cj). 
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Base case. Suppose that k(g) = 0. Then a € {r}*, so Proc(t) — >$ — Y s . Suppose, for a 
contradiction, k(o~') > 0. Then a' = T a " (cond)" p for some a > 0, some cond € Cond and 

some symbolic trace p G {Cond U {t})*. Therefore Proc(t) -—>t cond ) s . By Lemma |A.4|, 
e € {cond, -i cond}. This is a contradiction as e € Visible. Therefore k(o~') = 0, which 
means that o~' G {t}*. Hence o~ = non _ T er'. 

Inductive case. Suppose that the result holds for all process syntaxes and all their symbolic 
traces with exactly k conditional symbolic events. Consider n(o~) = k + 1. Then a = 
r a "(cond)"p for some a > 0, some cond £ Cond and some p € (CondD{r})* with = fc. 
Arguing similarly in the base case, k(o~') > 0. Therefore, o' = T h "(cond')"p' for some b > 0, 
some cond' G Cond and some p' € (Cond U {t})*. By Lemma [A. 41 cond' G {cond,^cond}. 
Since o""(e) generates r (e) and c'~(e') generates r (e'), cond and cond' must both evaluate 
to True within T, because there are no visible symbolic events within a and cr' before cond 
and cond' , respectively, that could modify the environment T. So it must be that cond = 

cond' . By Lemma IA.ll there is a unique state P(t) such that Proc(t) — ^-^ s 
Hence, p"(e) and p'~(e') are both symbolic traces of P(t) such that p"(e) generates r (e) and 
p' (e') generates p (e'). Therefore, by the inductive hypothesis, p = non - T p', which implies 
that a =non-T o-'. □ 



A.l. Proofs of main results. We can now prove the results stated in Section [5j In order 
to prove Proposition 15.31 We will need the following lemma. 

Lemma A. 6. Suppose that Proc(t) satisfies SeqNorm. Suppose further that 

(Proc(t),F imt ) (P(t),T), 

(Proc(t),F imt ) (Q(t),T% 
where e is a visible event. Then P(t) = Q(t) and T = T' . 

Proof. By the translation rules of COSE (see Section I4.4.ip . there must exist symbolic 
traces a, a' and visible symbolic events e = c§iXi:Ai . . . ^Xk'-Xk and e' = c'§[xi.X{ . . . §'^':X Z ' 
such that 

• Proc(t) >—Y s -^ s P(t) and Proc(t) ^-^-s—^s Q(t)', an d 

• <r~(e) generates p mU (e) and <r'~(e') generates r (e). 

Then it must be that a, a' £ (Cond U {t})*. So, by Lemma \A.h\ a = non . T a'. From the 
definition of the generates relation (p. I29f) we have that e € Instsr init (e) Pilnstsr init (e'), so 
Lemma [A. 31 implies that e = e'. Hence, o~*{e) = non - T cr'"(e') and so we can infer, using Corol- 
lary E21 that P(t) = Q(t). In addition, the translation rules of COSE (see Section [4.4. ip 
imply that if e = c.v\ . . . Vk, then 

r = Ti n it © {xi >-tVi\i€ $*(e) U ?*(e)}, 

r' = T init © {xl >-YVi\ie $*(e') U ?*(e')}. 

However, e = e', so T = T', as required. □ 

Proof of Proposition 15.31 By a straightforward induction on the length of s \ {r} and using 
Lemma IA.61 □ 



51 



T. MAZUR AND G. LOWE 



Proof of Proposition \5.4\ We prove the result by an induction on the length of tr. 

Base case. Suppose that tr = {). Then a generates r () and a' generates r (). Therefore, 
by the definition of the generates relation (p. [29]), a and a' cannot contain visible symbolic 
events. Hence, by the assumptions of this proposition, a = a' = (}, which means that 

G = non-r 0~ ■ 

Inductive case. Suppose that the result holds for all traces of length k. Consider a trace 
trk+i of length k + 1. Then there exists a trace tr^ of length k and a visible event e such 
that trk+i = tr^{e). There must also exist symbolic traces ax,cr'i,(J2, and a' 2 such that 

• either o~\ = = (} or both o~i and o~[ end in a visible symbolic event; 

• a = <J\o~i and a' = o'{o' 2 \ and 

• o\ generates r tr^ and a[ generates r tr^. 

Then, by the inductive hypothesis, o~\ = non - T a[. Hence, if P(t) and Q(t) are such that 

Proc(t) ^ s P(t) and Proc(t) £h s Q(t), then, by Corollary HJJ P(t) = Q(t). 

Let r be the environment reached after tr^, i.e. such that (Proc(t),T) h^-> (P(t),T) 
for some s such that s \ r = tr^; by Proposition 15. 3| T is unique. We now have that 
o"2 generates r (e) and a' 2 generates r (e). Hence, 0"2,<7 2 ^ (). Therefore, both 02 and a' 2 
must end in a visible symbolic event (since they are suffixes of a and a'). So, 02 = p~{e) 
and a' 2 = p'~{e') for some symbolic traces p, p' € (Cond U {r})* and some visible symbolic 
events e and e' . Hence, by Lemma lA.51 p = n on-r p' ■ Also from the definition of generates 
we have that e € Instsr(e)r\Instsr(e'), so, by Lemma fA.31 e = e' . Therefore, 02 =non-r cr' 2 , 
and hence a = non _ r a'. □ 

Proof of Proposition 15.51 Suppose for contradiction that a 7^ a'. Definition 15.11 implies that 
a and a' give rise to e immediately after tr. By Proposition 15.41 if cr"(e) and cr'"(e') are both 
symbolic traces of Proc(t) such that a"(e),a'"{e') generates tr~{e) and where e and e' are 
visible, then <r = non _ T a' and e = e' . We now have that e matches both a and a' . Then, the 
firing rules of SSOS (see Section f4. 3. 2D imply that a and a' must be constructs in different 
branches of an external, internal or sliding choice. Since both of these constructs give rise 
to the same concrete event, e, their channels must be identical. Hence, Proc(t) contains 
a binary choice with branches sharing a common channel name. This contradicts the fact 
that Proc(t) satisfies SeqNorm, so it must be that a = a' . □ 

Proof of Lemma \5.6l Suppose for a contradiction that there is some j E !(e') \ !(e). Then 
j € $'(e) U ?*(e) (since $ non -*(e) = ?«°«-*( e ) = {} by Remark 03}. This means that the 
j-th variable or value of e' is of type t, so j € ! (e'). Suppose e = c.v± . . . Vk and let 
e' = c.v\ . . . Vj-i.Vj.Vj+i . . . Vk, where G T \ {vj}. By Remark 13.31 if a process can 
perform a given event, then it can also perform every other event that differs only in the 
values of inputs. Therefore, tr"{e') 6 traces(P(t),Ti n i t , T), i.e. e' matches e. 

Since (Q(t),T init , T) C x (P(t),T init , T), we must have tr'(e') € traces(Q(t),T init , T). 
Clause (iii), combined with the fact that is an output for Q(t), different from Vj, implies 
that cr'"{e') cannot generate tr'(e') within r^. So let p"(e") € SymbolicTraces(Q(t)) 
be such that p"{e") generates rinit tr"(e'). Also, let a' = o\02 and p = pi'p2, where 
o"i and p\ are either both the empty symbolic trace or both end with visible symbolic 
events, and 02, P2 £ (Cond U {r})*. Then, clause (iii) implies that a± generates r tr 
and p\ generates r . tr, so by Proposition 15. 4| o~\ = non - T p\. Hence, if Q'(t) and Q"(t) 
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are symbolic states such that Q(t) *—^ s Q f (t) and Q{t) 
Corollary [OJ we have that Q'(t) = Q"{t). 



pi . 



Q"(t), then, thanks to 



&1 — non-T Pi 



°~2~{e') generates r (e) 




Q(t) Q'{t) = Q"(t 

pi ^ , 




ai, pi generates p. tr 



P2~{e") generates r (e 1 ) 



Figure 7: Illustration of the proof of Lemma 15.61 

Let T be the environment reached after tr, i.e. such that (Q(t), Ti n u, T) h-^-> (Q'(t),T, T) 
for some s such that s \ r = tr; by Proposition 15. 3| T is unique. Then, we have that 

• cr 2 A (e / ), p2*{e") G SymbolicTraces(Q' (i)); 

• (e), (e'> G iraces(Q'(i),r, T); 

• &2~{e') generatesp (e); and 

• P2*(e") generates r (e'). 

Hence, we can deduce from Lemma lA.5l that 02 = n0 n-r P2- Let e' = c§' 1 a;{:X 1 / . . . §' k x' k :X' k and 
e" = c§"x":X{' . . . ^Ixu'-Xl*. Then, since the channels of e' and e" are the same, Lemma IA.3I 
implies that !*(e') = !*(e") and xj = x". Since ^{e 1 ) generatesp (e) = (c.Wi . . . v^) and 
P2~(e") generatesp (e') = (c.V\ . . . Vj^\.v'-.Vj + i . . . v^} and j G !*(e") (as j G (e')), we have 
that xj = Vj and x" = w'. Hence Vj = vL This is a contradiction, so !(e') C !(e). □ 



Proof of Proposition 5.7 Since T is a subset of T, we have that r,r' G Env(T) implies 



r,r" G Env(T), since every partial function from T^ar to T is also a partial function from 
Var to T. We now prove the result using an induction on n, the number of times Translation 
Rule 4 of COSE (p. I28|) had to be applied in order to obtain the transition in f)5. 1[) . 



Base case. Suppose that n = 0. We separately consider the cases for a being r or visible. 

Case 1. Suppose that a = r. Then, the translation rules of COSE (see Section T4.4.ip imply 
that the transition in (|5.ip can be a result of either Translation Rule 1 (p. [27]) or Translation 
Rule 3 (p. [28]). 

For Translation Rule 1, it must be that Proc(t) — —> s P(t) for some visible symbolic 
event e = c§iXi:Xx . . . § / tx/ £ :X / t such that #$*(e) > and some symbolic state P(t). In 
addition, Proc'(t) = Replace* s ,(c, Proc(t)) and r' = T {xj h4 Uj | i G $ 4 (e)}, where v is 

a function in $*(e) — > T. Then, w is also a function in $ '(e) — ► T, so Translation Rule 1 
implies that 

(Proc(t),F, T) (Replace^ (c, Proc(t)), T © {x> (-»■ | j G $*(e)}, T) 

= (Proc'(i), T', T). 

If the transition in (|5.ip results from Translation Rule 3, then Proc(t) — Proc'(t) and 
r = T'. The same rule then yields (Proc(i),r, T) — > {Proc 1 \t),V , T). 
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Case 2. Suppose that a = c.v\ . . . is a visible event. Then, the translation rules of COSE 
imply that the transition in (|5.ip must be the result of Translation Rule 2 (p. [27]). The rule 
implies that Proc(t) -^- s Proc'(t) for some visible symbolic event e = c%iX\\Xi . . . %h x h'-^-k 
such that #$*(e) = 0. In addition, r' = V ® {xi (->• Vi \ i G ?*(e)}, and for all i in ?*(e), 
Uj is in T. However, since T C T, we have that for all i in ?*(e), is in T. Therefore, 
Translation Rule 2 implies that 

(Proc(t),T, T) (Proc'(i),re{x» | * G ?*(e)}, T) = (Proc'(t),T', T). 

This completes the base case. 

Inductive case. Suppose the result holds for some n = k, where k > 0. Suppose that the 
transition in f)5. 1 j) requires + 1 applications of Transition Rule 4. Then it must be that 

Proc(t) cond y s P(t) and (P(t),T, T) (Proc'(t),V, T). The latter transition requires k 
applications of Transition Rule 4, so the inductive hypothesis implies that (P(t),F, T) 
(Proc'(t),r', T). Hence, by Translation Rule 4, (Proc(t),T, T) (Proc'(t), V , T), which 
completes our proof. □ 

Proof of Corollary ] 5. 81 Let s be an event-sequence with (Proc(t),T, T) h^-> (Proc'(t), T', T) 
and s \ {t} = ir. Then the result follows from a simple induction on the length of s using 
Proposition 15.71 □ 



Appendix B. Proofs for Section [6] 
B.l. Proofs for Section HD 

Proof of Proposition We prove the result using a structural induction on Proc(t). We 
give just the cases for prefix and conditional choice. 

Prefix. Suppose that Proc(t) = a — > P(t) where a = c%' l x[:X[ . . . §' k x' k :X' k . We consider 
two cases. 

Subcase 1. Suppose that tr = (}. Then, a E {t}*, and Proc(t) -^-g—^s- Using Translation 
Rule 3 (p. [28]) and Remark 14.141 we get that 

W G {1 . . &} ->• Value | (B.l) 
(Vz G $*(e) U ?*(e) • ^ G T) A (V* G !(e) • v[ = T mit { Xl )) • 
(c.v[ . . . v' k ) G traces(Proc(t),T 

init ) 

Since tr = (), assumption (iii) of the proposition implies that (e) generates ^ r . n . a (e). 
Therefore, by assumption (iv), 

Vz G !*(e) • Vi = (<j>(T ivM ))(xi) A vt G {0 .. B - 1}. 

Suppose that 

u' G {1 . . ^} — > Value is such that 

(Vi G $'(e) U?*(e) • v[ G T) A (V % G !(e) • < = «») 

Then V i G !*(e) • u t - = (<^(rj n ^))(xj) A G {0 . . B — 1}. However, the properties of (j) imply 
that for all variables var and all values val, we have that 

(4>(Tinit))(var) = val A val G {0 . . B - 1} =>- T init (var) = val, 



A TYPE REDUCTION THEORY FOR SYSTEMS WITH REPLICATED COMPONENTS 



57 



SO 

yiel t (e)»v' i = T intt (x i ). (B.2) 

In addition, from the definition of generates, Vi G ! non "*(e) • Vj = (f>(T x i n it){%i) ■ But we 
know that Vi G ! non "*(e) • ^ = ^ so 

Vi G !" on -*(e) • v[ = ttFinttMxi) = T mU (xi) 

with the last equality following from the fact that for all i in ! non ~*(e), X{ must be of a non-i 
type. Hence and from (|B.2p . 

Mi G !(e) • v[ = T ini t(xi). 

Therefore, (|B.ip implies that (c.v[ . . . v' k ) G traces(Proc(t) ,T i n u) . We have shown: 

Vu' G {1 . . -»• Fa/ue | (Vi € $*(e) U ?*(e) • u| G T) A (Vi G !(e) • < = «;) • 
(c.u{ ■ ■ ■ v'k) G traces(Proc(i),r in j 4 ), 

which is what we wanted to show. 

Subcase 2. Suppose that tr = (e')"tr' for some visible event a and some trace tr' . Then 
<f>(tr) = (4>(e')y4>(tr'). So clearly <f>(tr) is non-empty and we know that a generates «^(r init ) 
4>{tr). By the definition of generates , it must be that there is at least one visible symbolic 
event within a. Hence, a = o"i"(e')V2 for some visible symbolic event e' and some symbolic 
traces o\ and 02 such that o\ is in {t}* (tri cannot contain any conditional symbolic events 
because Proc(t) is a prefix). Then, 

Proc(£) P'(t) and cr 2 ~(e) G SymbolicTraces(P' '(*)), (B.3) 

where P'(i) is like P(i), but with some substitutions of concrete values for the non-i type 
input variables of a, as dictated by the SSOS firing rules for prefix (Section |4.3.2[) . We aim 
to apply the inductive hypothesis to P'(t). 

We can infer using Translation Rule 3 (p. 1281) and Remark 14.141 that 

(Proc(t)^(Y inU )) (P\t)^(Y inU )®Match(e\ ( j ) (e'))), 

where, recall from Section 14.61 Match(e' ,4>(e')) is a map from type t input variables 
of e' to the corresponding concrete values of event <fi(e'). We have that configuration 
(P' (t) , 4>(T i n u) © Match{e' ,<p(e'))) is unique (thanks to Proposition 15 . 3() . We know from 
assumption (ii) that (<p(e')Y<p(tr'Y(e) G traces(Proc(t), (f)(Ti n i t )). Hence 

<t>(tr'Y(e) G traces(P'{t),(t){T init ) ® Match(e' ,cj>(e'))). (B.4) 

re' 

Similarly, since Proc(t) — >* — > P (t) and tr = (e Ytr G traces(Proc(t),Fi n it) (from 
assumption (i)), using Translation Rule 3 (p. [28]), Remark 14. 141 and Proposition 15.31 we can 
infer that 

(Proc(t),T mU ) (P'(t),T inU ®Match(e\e')) . (B.5) 

Hence, 

tr' G traces(P'(t),T init ®Match(e',e')). (B.6) 
Finally, assumption (iii) implies that 

(/•(e) = ai'(e'Ya 2 "(e) generates ^r init ) 4>(. tr Y( e ) = (4>{e')Y4>{tr'Y(e). 
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So, by the definition of generates (p. l29l) 

a 2 "{e) generates ^ r . n . t) ® Match{t ,^ {el)) <f>(tr'y{e). (B.7) 

We can now deduce the inductive hypothesis for P'(t), with tr' in place of tr, o~2 in 
place of a, and ® Match(e' , e') in place of T^: (IB.6j) gives us condition (i); (1B.4|) gives 
us condition (ii), observing that 0(r\ n j f ) © Match(e' ,(p(e')) = 4>(Ti n i t Match(e', e')); and 
(|B.3|) and (|B,7p give us condition (iii). Hence 

V»' € {1 .. k} -> FaZue | (Vi € $*(e)U?*(e) • G T) A (V i G !(e) • vj = t$ • 
tr'"(c.v[ . . . v' k ) G traces(P'{t),Y in i t ®Match(e', e')). 

This, combined with ()B.5|) . gives us that 

V»' G {1 .. A;} -> FaZue I (Vi G $*(e)U?*(e) • < G T) A (Vi G !(e) • v, = v<) • 
(e'ytr'"(c.v[ ...v' k ) G traces(Proc(t),T mit ). 

However, tr = {e')"tr' , so the result holds. 

Conditional choice. Suppose that Proc(t) = if cond then P(t) else <3(i). If cond is not 
in Cond, then cone? immediately evaluates to True or False and the result is immediately 
implied by the inductive hypothesis for P(t) or Q{t), respectively. So suppose cond is in 
Cond. Then, by the SSOS firing rules for conditional choice (see Section [4.3.2|) it must be 
that 

a = {cond)"p or a = (~^cond)"p 

for some symbolic trace p. We now perform a case analysis on the truth value of the 
evaluation of cond within the environments Ti n a and 4>(Ti n it). 

Case 1. Suppose that [[cond]]^(r imi ) = [[cond]]r mit = True. Then it must be that p G 
SymbolicTraces(P(t)). From assumption (iii) we have that 

p"(e) generates ^ r . n . t) ^tr)'(e). 

In addition, from assumptions (i) and (ii) we have that 

tr G traces (P(t),T init ) and ^(tr)~(e) G traces(P(t), <j)(T init )). 

The result is now implied in this case by the inductive hypothesis for P{t) and the fact that 

{Proc{t),T init ) ^ (P(t),T 

init ) • 

Case 2. Suppose that \cond\ ( j ) (r. n . t \ = [[conrf]]r m , 4 = False. This case is like Case 1, above, 
with Q(t) in place of P(t). 

Case 3. Suppose that ^cond^rr init ) = True A [[cond]]r ina = False. Then, by assump- 
tion (i) and (ii), 

tr G traces(Q(t),T init ) and (/>(tr)"(e) G traces(P(t), (t>(T init )). 

Since Proc(t) satisfies RevPosConjEqT, we have that (Q (t) , 4>(T ma)) Qt (P '(t) , 4>(T init)) , 
so 

(f)(tr)"(e) G traces(Q(t),4>(Ti nit )). 
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Let p'~{e') G SymbolicTraces(Q(t)) be such that p'"(e') generates Mp init ) ^(^T( e )- Then, 
by LemmaEU !(e') C !(e). Hence, ! (e') C ! (e), so assumption (iv) implies that 

V* G !*(e') • in G {0.. B-l}. 

Therefore, by the inductive hypothesis for Q(t), 

V»' G {1 .. k} -> Value | (B.8) 
(Vi G $*(e') U ?*(e') • v[ G T) A (V* G !(e') • = «j) . 
ir^c.^ . .. w£) G traces((5(t),r init ). 

Suppose w' G {1 . . k} — > Value is such that 

(Vi G $*(e) U?*(e) i»{6T)A(Vt€ !(e) • ^ = «<). 
The fact that !(e') C !(e) implies that 

Vi G !(e') • = Vi. (B.9) 
In addition, we know that both e and e' give rise to c.v\ . . . so 

$ t (e')U?*(e / )U!*(e / ) = $*(e) U ?'(e) U !'(e), 

which means that 

$*(e')U?'(e') C $*(e)U?*(e)U!*(e). 

Therefore, since Vi G !*(e) • v[ G T (as V i G !*(e) • = Wj and, by assumption (iv), 
Vi G !*(e) • Wj G T) and Vi G $'(e) U ?*(e) • v[ G T (by our assumption about «'), 

Vi G $'(e') U?*(e') • v[ G T. 

Combining this with (|B.9P and ()B.8|h we get that 

Vo' G {1 .. A;} -> FaZue | (Vi G $*(e)U? t (e) • G T) A (Vi G !(e) • = «j) • 
tr"{c.v[ . . . v' k ) G traces(Q(t),T inU ). 

The result now follows, because (Proc(t), =^=> {Q{t),Ti n i t ). 

Case 4- Suppose that [[cond]]0(p imi ) = -Fake A [[cond]]r imi = True. This case is not possible 
since cond is a conjunction of equality tests and for no function </> we can ever have x = y 
and 4>{x) / (f)(y). □ 

We now prove Proposition 16.81 We will need the following lemma which shows that in 
this case non-i equivalent symbolic traces are in fact non-r equivalent. 

Lemma B.l. Suppose a, a' are symbolic traces that contain no conditional symbolic events, 
a =non-t o~' , neither a nor a' ends in r, and 

P{t) ^ s Q{t) and P{t) A s Q'{t). 
Then a = non . T a' and Q(t) = Q'(t). 

Proof. We prove the result by induction on the number of visible symbolic events in a 
and a 1 . The base case of a = a' = () is trivial. 

Suppose a = ao"T a "(e), a' = o"oV 6 "(e / ), and a^, a' do not end in r. Then ao =non-t o~' , 
e = non -t e', and 

P{t) ^ s Qoit) Q(t) and Pit) Q'S) f^X s Q'(t) 
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for some Qo(t) and Qo(t). Then by the inductive hypothesis, do = n0 n-T cr' Q and Qo(t) = 
<9o(£). Then by Lemma [A.31 the t parts of e and e' are equal, so e = e'; hence 0~ = non - T U . 
Finally, by Lemma |AJ] Q(t) = Q'(t). □ 

Proof of Proposition RTffl Let cx~(e) be a symbolic trace of Spec(t). If o~'"(e') is a symbolic 
trace of Spec(t) such that <7~(e) = n on-t <j'*{^), then by the above lemma, e = e'. Hence 
!*(cr,e)(5pec(<)) = !*(e). So in TheoremESl 

Thresh? = max{^!'(e)(5pec(i)) | <r~(e) € SymbolicTraces(P(t))} 

< max{#!*(a) | a is a construct of Spec(t)} 

with equality in the normal case that every construct is reachable. □ 



B.2. Proofs for Section f672l 

Proof of Proposition \6.1l\ We prove the result using a structural induction on Proc(t). We 
give just the cases for prefix and conditional choice. 

Prefix. Suppose that Proc(t) = a — > Proc'(t) for some construct a = c§iX\:Xi . . . ^x^'-X^ 
and some process syntax Proc'(t). We now consider two cases. 

Subcase 1. Suppose that tr = (}. The fact that (cp(tr),X) G failures(Proc(t),4>(Ti n i t )) 
implies that there exists an environment T with dom(T) = $*(a) such that 

(Pr 0C (f),«Kr init )) ^ (P(0,^»(r«)er) ref x, 

where P(t) is like Proc(t), but with some substitutions of concrete values for the nonde- 
terministic input variables of non-t types of a and with the effects of the application of 
Replace$^\ , as dictated by the SSOS firing rules for prefix (see Section [4.3.2H . Then, 

(Proc(t),T inU ) JL> (P(t),T inU ®T) 

by resolving the nondeterministic selections of a (if any) in the same way. We now show 
that (P(t),Ti n it ©T) ref X. Observe that the only difference between the initial events of 
two configurations (S,Ti) and (S 1 ,^) are the output values of type t that come from the 
environments T\ and T2- Therefore, 

initial s(P(t),T init © T) = 

{c.v[ ...v' k | (Vt G !*(a) • v( = (T tmt © V) (a*)) 

A 3 c.vi . . . Vk G initials(P(t), 4>(Ti n i t ) © T) • 
Vz G{1.. *}\ !*(<*)• « t ' = ««)}■ 
Let w be such that c.v\ . . . is in initial s(P(t), 4>(Ti n i t )(BT) and let v' be such that c.?;{ . . . v' k 
is in initials(P (t) ,T i n u © T) with Vi G {1 . . k} \ !*(a) • = «j. Also, let i G !*(a). Hence 
«j = ((j)(Ti n it)(BT)(xi) and v,' = (rj„, 4 ©r)(xj). Hence, by assumption (hi) of the proposition, 
v[ G {0 . . B — 1}. So, thanks to the properties of 0, (fi(vl) = v[. Hence (4>(Ti n it) @Y)(xi) = v[ 
since Xi ^ dom(r). Therefore 

V* € !*(a) • « t ' = (r jmi ©r)(x 4 ) = (^^©^(sj) = «t. 

Hence, 

initials(P(t), Y init © T) = initial s(P(t), 4>{T inU ) © T). (B.10) 
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Since {P{t),Y init © T) is stable, (P(t),T in u © T) ref Y for all Y C £ \ initials(P(t), 
Tmit r). However, from the fact that (P(t), 4>(Ti n it) © T) ref X we can infer that X C 
£ \ initial s(P(t),4>(T init ) © T), so by (lETTO)) (P(t),r ini t © T) re/ X. This implies that 
G failures(Proc(t),Fi n it), as required. 

Subcase 2. Suppose that ir ^ (}. Then tr = (e)"tr' for some visible event e that matches a 
and trace ir'. Let T = 4>(Ti n i t ) © Match(a,4>(e)) and T' = © Match(a, e). From the 
assumptions of the proposition we can infer that 

tr' £ traces{P{t)X) and {4>(tr'),X) G failures(P{t),T), 

where P(t) is like Proc'(t), but with some substitutions of concrete values for the non-£ 
type input variables of a, as dictated by the SSOS firing rules for prefix (see Section [4. 3. 2p . 

Assumption (iii), combined with the fact that (Proc(t) , T i n it) ==>■ (P(t),F r ), implies that if 

tr' 

P is a configuration such that (P(t),T ) P, then every output of type t of every event 
in initials(P) is in {0 . . B — 1}. Observe that V = <p(T'). So, by the inductive hypothesis 
forP(i), (tr',X) G failures(P(t), V), which implies that (tr,X) € failures(Proc(t),Ti n i t ). 

Conditional choice. Suppose that Proc(t) = if cond then P(t) else Q(t) for some process 
syntaxes P(t) and Q{t). If cond is not in Cond, then it immediately evaluates to True 
or False, in which case the result is implied by the inductive hypothesis for P(t) or Q(t), 
respectively. For a condition cond in Cond we perform a case analysis on the result of the 
evaluation of cond within environments Ti n n and 4>(Ti n it). 

Case 1. Suppose that [[cond]]^(r imi ) = [[ con ^]]r„ nt = True. Then 

(0(ir),X) G failures(P(t),(p(Ti n it)) and ir G traces(P(t),T in i t ). 

In addition, assumption (iii), combined with the fact that (Proc(t), Tinu) ==> {P (t) ,T i n it) , 

tr 

implies that if P is a configuration such that (P(t), => P, then every output of type £ 
of every event in initials(P) is in {0 . . B — 1}. Then, the inductive hypothesis for P(t) 
implies that (tr,X) G failures(P(t),Ti n i t ). Therefore, (tr,X) G failures(Proc(t),Ti n i t ). 

Case 2. Suppose that \cond\ < j > (v in . t \ = [[conc?]]r mi4 = False. This case is like Case 1, above, 
with Q(t) in place of P(t). 

Case 3. Suppose that [[conrf]]^(r imi ) = True A [[conc?]]r imi = False. Then 

(<j>(tr),X) G failures(P(t),(j)(T tm t)) and tr G traces(Q(t), T init ). 

However, Proc(t) satisfies RevPosConjEqT F , so (Q(t), <fi(Ti n it)) Qf {P{t),4>(Tinit)- Hence, 
{4>(tr),X) G failures(Q(t),(j)(Ti mt )). 

In addition, assumption (iii), combined with the fact that (Proc(t), =^4> {Q{t),Ti n i t ), 

tr 

implies that if P is a configuration such that {Q{t),Ti n i t ) P, then every output of type t 
of every event in initials(P) is in {0. .B — 1}. The inductive hypothesis for Q(t) implies now 
that (tr,X) G failures(Q(t),Ti n i t ), which implies that (tr,X) G failures(Proc(t),Ti n i t ). 

Case 4- Suppose that [[cond]]^(r im i) = Pake A [[cond]]r imi = True. This case is not possible, 
since cond is a conjunction of equality tests and for no function </> we can ever have x = y 
and <j){x) / (j)(y). □ 

This work is licensed under the Creative Commons Attribution-NoDerivs License. To view 
a copy Of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a 
letter to Creative Commons, 171 Second St, Suite 300, San Francisco, CA 94105, USA, or 
Eisenacher Strasse 2, 10777 Berlin, Germany 



